Debian GNU/Linux 8 (Jessie), 9 (Stretch), and 10 (Buster):
ELA-1412-1 libxml2 security update
Debian GNU/Linux 9 (Stretch) and 10 (Buster):
ELA-1411-1 expat security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4146-1] libxml2 security update
[DLA 4145-1] expat security update
[DLA 4150-1] u-boot security update
[DLA 4149-1] nagvis security update
[DLA 4126-2] jinja2 regression update
[DLA 4148-1] vips security update
[DLA 4147-1] fig2dev security update
[DLA 4144-1] qemu security update
Debian GNU/Linux 12 (Bookworm):
[DSA 5911-1] request-tracker4 security update
[DSA 5909-1] request-tracker5 security update
[DSA 5910-1] firefox-esr security update
ELA-1412-1 libxml2 security update
Package : libxml2
Version : 2.9.1+dfsg1-5+deb8u19 (jessie), 2.9.4+dfsg1-2.2+deb9u13 (stretch), 2.9.4+dfsg1-7+deb10u11 (buster)
Related CVEs :
CVE-2025-32414
CVE-2025-32415
Two issues have been found in libxml2, the GNOME XML library.
Thy are related to an out-of-bounds memory access in the Python API and a heap-buffer-overflow in xmlSchemaIDCFillNodeTables().ELA-1412-1 libxml2 security update
ELA-1411-1 expat security update
Package : expat
Version : 2.2.0-2+deb9u10 (stretch), 2.2.6-2+deb10u9 (buster)
Related CVEs :
CVE-2024-50602
An issue has been found in expat, an XML parsing C library.
The issue is related to a crash within XML_ResumeParser() because
XML_StopParser() can stop/suspend an unstarted parser.ELA-1411-1 expat security update
[SECURITY] [DLA 4146-1] libxml2 security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4146-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
April 30, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : libxml2
Version : 2.9.10+dfsg-6.7+deb11u7
CVE ID : CVE-2025-32414 CVE-2025-32415
Two issues have been found in libxml2, the GNOME XML library.
Thy are related to an out-of-bounds memory access in the Python API and a
heap-buffer-overflow in xmlSchemaIDCFillNodeTables().
For Debian 11 bullseye, these problems have been fixed in version
2.9.10+dfsg-6.7+deb11u7.
We recommend that you upgrade your libxml2 packages.
For the detailed security status of libxml2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libxml2
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4145-1] expat security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4145-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
April 30, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : expat
Version : 2.2.10-2+deb11u7
CVE ID : CVE-2024-50602
An issue has been found in expat, an XML parsing C library.
The issue is related to a crash within XML_ResumeParser() because
XML_StopParser() can stop/suspend an unstarted parser.
For Debian 11 bullseye, this problem has been fixed in version
2.2.10-2+deb11u7.
We recommend that you upgrade your expat packages.
For the detailed security status of expat please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/expat
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4150-1] u-boot security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4150-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
May 01, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : u-boot
Version : 2021.01+dfsg-5+deb11u1
CVE ID : CVE-2019-14196 CVE-2022-2347 CVE-2022-30552 CVE-2022-30767
CVE-2022-30790 CVE-2022-33103 CVE-2022-33967 CVE-2022-34835
CVE-2024-57254 CVE-2024-57255 CVE-2024-57256 CVE-2024-57257
CVE-2024-57258 CVE-2024-57259
Debian Bug : 1014470 1014471 1014528 1014529 1014959 1098254
Multiple vulnerabilties were discovered in u-boot, a boot loader for
embedded systems.
CVE-2022-2347
An unchecked length field leading to a heap overflow.
CVE-2022-30552 and CVE-2022-30790
Buffer Overflow.
CVE-2022-30767 (CVE-2019-14196)
Unbounded memcpy with a failed length check, leading to a buffer
overflow. This issue exists due to an incorrect fix for CVE-2019-
14196.
CVE-2022-33103
Out-of-bounds write.
CVE-2022-33967
Heap-based buffer overflow vulnerability which may lead to a denial-
of-service (DoS).
CVE-2022-34835
Integer signedness error and resultant stack-based buffer overflow.
CVE-2024-57254
Integer overflow.
CVE-2024-57255
Integer overflow.
CVE-2024-57256
Integer overflow.
CVE-2024-57257
Stack consumption issue.
CVE-2024-57258
Multiple integer overflows.
CVE-2024-57259
Off-by-one error resulting in heap memory corruption.
For Debian 11 bullseye, these problems have been fixed in version
2021.01+dfsg-5+deb11u1.
We recommend that you upgrade your u-boot packages.
For the detailed security status of u-boot please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/u-boot
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4149-1] nagvis security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4149-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
May 01, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : nagvis
Version : 1:1.9.25-2+deb11u1
CVE ID : CVE-2021-33178 CVE-2022-3979 CVE-2022-46945 CVE-2023-46287
CVE-2024-13722 CVE-2024-13723 CVE-2024-47093
Multiple vulnerabilities were discovered in nagvis, a visualization
addon for Nagios or Icinga.
CVE-2021-33178
Due to an authenticated path traversal vulnerability, a malicious actor
has the ability to arbitrarily delete files on the local system.
CVE-2022-3979
Due to a type juggling vulnerability, a remote attacker could
successfully guess an authentication cookie.
CVE-2022-46945
An attacker can read arbitrary files.
CVE-2023-46287
A XSS vulnerability exists in a function.
CVE-2024-13722 / CVE-2024-47093
Multiple XSS vulnerabilities exist.
CVE-2024-13723 / CVE-2024-47093
Multiple RCE vulnerabilities exist. An authenticated attacker with
administrative level privileges is able to upload a malicious PHP file
and modify specific settings to execute the contents of the file as
PHP.
For Debian 11 bullseye, these problems have been fixed in version
1:1.9.25-2+deb11u1.
We recommend that you upgrade your nagvis packages.
For the detailed security status of nagvis please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nagvis
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4126-2] jinja2 regression update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4126-2 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Lucas Kanashiro
April 30, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : jinja2
Version : 2.11.3-1+deb11u4
CVE ID : CVE-2025-27516
Debian Bug : #1103045
The fix for CVE-2025-27516 announced in DLA-4126 does not supporting Python 2.
Now, the support of Python 2 was re-instated.
For Debian 11 bullseye, this problem has been fixed in version
2.11.3-1+deb11u4.
We recommend that you upgrade your jinja2 packages.
For the detailed security status of jinja2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jinja2
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 5911-1] request-tracker4 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5911-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
April 30, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : request-tracker4
CVE ID : CVE-2024-3262 CVE-2025-2545 CVE-2025-30087
Debian Bug : 1068452
Multiple vulnerabilities have been discovered in Request Tracker, an
extensible trouble-ticket tracking system, which could result in
information disclosure, cross-site scripting and use of weak encryption
for S/MIME emails.
For the stable distribution (bookworm), these problems have been fixed
in version 4.4.6+dfsg-1.1+deb12u2.
We recommend that you upgrade your request-tracker4 packages.
For the detailed security status of request-tracker4 please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/request-tracker4
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 5909-1] request-tracker5 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5909-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
April 30, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : request-tracker5
CVE ID : CVE-2024-3262 CVE-2025-2545 CVE-2025-30087 CVE-2025-31500
CVE-2025-31501
Debian Bug : 1068453
Multiple vulnerabilities have been discovered in Request Tracker, an
extensible trouble-ticket tracking system, which could result in
information disclosure, cross-site scripting and use of weak encryption
for S/MIME emails.
For the stable distribution (bookworm), these problems have been fixed
in version 5.0.3+dfsg-3~deb12u3.
We recommend that you upgrade your request-tracker5 packages.
For the detailed security status of request-tracker5 please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/request-tracker5
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 5910-1] firefox-esr security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5910-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 30, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : firefox-esr
CVE ID : CVE-2025-4083 CVE-2025-4087 CVE-2025-4091 CVE-2025-4093
Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code or a bypass of sandbox restrictions.
For the stable distribution (bookworm), these problems have been fixed in
version 128.10.0esr-1~deb12u1.
We recommend that you upgrade your firefox-esr packages.
For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DLA 4148-1] vips security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4148-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
April 30, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : vips
Version : 8.10.5-2+deb11u1
CVE ID : CVE-2025-29769
A heap-based buffer overflow was discovered in vips, an image processing
system, which could lead to denial of service when processing specially
crafted TIFF images.
For Debian 11 bullseye, this problem has been fixed in version
8.10.5-2+deb11u1.
We recommend that you upgrade your vips packages.
For the detailed security status of vips please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/vips
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4147-1] fig2dev security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4147-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
April 30, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : fig2dev
Version : 1:3.2.8-3+deb11u3
CVE ID : CVE-2025-46397 CVE-2025-46398 CVE-2025-46399 CVE-2025-46400
Multiple vulnerabilities were found in fig2dev, a utility for converting
XFig figure files, which could lead to code execution or denial of
service upon specially crafted input files.
CVE-2025-46397
A stack overflow vulnerability could allow code execution via local
input manipulation via bezier_spline() function.
CVE-2025-46398
A stack overflow vulnerability could allow code execution via local
input manipulation via read_objects() function.
CVE-2025-46399
A segmentation fault issue could lead to denial of service via local
input manipulation via genge_itp_spline() function.
CVE-2025-46400
A segmentation fault issue could lead to denial of service via local
input manipulation via read_arcobject() function.
For Debian 11 bullseye, these problems have been fixed in version
1:3.2.8-3+deb11u3.
We recommend that you upgrade your fig2dev packages.
For the detailed security status of fig2dev please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/fig2dev
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4144-1] qemu security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4144-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Santiago Ruano Rincón
April 30, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : qemu
Version : 1:5.2+dfsg-11+deb11u4
CVE ID : CVE-2023-1544 CVE-2023-3019 CVE-2023-5088 CVE-2023-6693
CVE-2024-3447
Debian Bug : 1034179 1041102 1068821
Multiple security issues were discovered in QEMU, a fast processor
emulator, which could result in denial of service or information leak.
CVE-2023-1544
Potential out-of-bounds read and crash via VMWare's paravirtual RDMA device.
CVE-2023-3019
Use-after-free error in the e1000e NIC emulation.
CVE-2023-5088
IDE guest I/O operation addressed to an arbitrary disk offset may
potentially allow to overwrite the VM's boot code.
CVE-2023-6693
Stack based buffer overflow in the virtio-net device emulation that may be
exploited to cause information leak.
CVE-2024-3447
Heap-based buffer overflow in SDHCI device emulation.
For Debian 11 bullseye, these problems have been fixed in version
1:5.2+dfsg-11+deb11u4.
We recommend that you upgrade your qemu packages.
For the detailed security status of qemu please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/qemu
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
