Debian has released several security updates to address vulnerabilities in various packages. LibXML2 (DSA 5990-1) for Debian 12 and 13 has been updated to fix a flaw that could lead to a heap use-after-free, while Node.js (DSA 5991-1) for Debian 12 has multiple vulnerabilities fixed, including denial of service, HTTP request smuggling, and privilege escalation. Additionally, UDisks2 (ELA-1508-1) for Debian 9 and 10 ELTS has an out-of-bounds read vulnerability fixed that may result in local privilege escalation. OpenSSH (ELA-1324-1) for Debian 9 and 10 ELTS has a machine-in-the-middle attack vulnerability fixed when the VerifyHostKeyDNS option is enabled, along with an information leak mitigation.

[DSA 5990-1] libxml2 security update
[DSA 5991-1] nodejs security update
ELA-1508-1 udisks2 security update
ELA-1324-1 openssh security update

[SECURITY] [DSA 5990-1] libxml2 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-5990-1 security@debian.org
https://www.debian.org/security/ Aron Xu
August 29, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libxml2
CVE ID : CVE-2025-7425
Debian Bug : 1109122

A flaw was found in libxslt, the XSLT 1.0 processing library, where the
attribute type, atype, flags are modified in a way that corrupts internal
memory management. This is addressed by adding guards in libxml2, the
GNOME XML library, preventing the heap use-after-free from happening.

For the oldstable distribution (bookworm), this problem has been fixed
in version 2.9.14+dfsg-1.3~deb12u4.

For the stable distribution (trixie), this problem has been fixed in
version 2.12.7+dfsg+really2.9.14-2.1+deb13u1.

We recommend that you upgrade your libxml2 packages.

For the detailed security status of libxml2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libxml2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 5991-1] nodejs security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-5991-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
August 29, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : nodejs
CVE ID : CVE-2023-46809 CVE-2024-21892 CVE-2024-22019
CVE-2024-22020 CVE-2024-22025 CVE-2024-27982
CVE-2024-27983 CVE-2025-47153

Multiple vulnerabilities were discovered in Node.js, which could result
in denial of service, HTTP request smuggling, privilege escalation, a
side channel attack against PKCS#1 1.5 or a bypass of network import
restrictions.

For the oldstable distribution (bookworm), these problems have been fixed
in version 18.20.4+dfsg-1~deb12u1.

We recommend that you upgrade your nodejs packages.

For the detailed security status of nodejs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nodejs

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

ELA-1508-1 udisks2 security update

Package : udisks2
Version : 2.1.8-1+deb9u2 (stretch), 2.8.1-4+deb10u4 (buster)

Related CVEs :
CVE-2025-8067

Michael Imfeld discovered an out-of-bounds read vulnerability in udisks2,
which may result in denial of service (daemon process crash), or in
mapping an internal file descriptor from the daemon process onto a loop
device, resulting in local privilege escalation.

ELA-1508-1 udisks2 security update

ELA-1324-1 openssh security update

Package : openssh
Version : 1:7.4p1-10+deb9u10 (stretch), 1:7.9p1-10+deb10u5 (buster)

Related CVEs :
CVE-2025-26465

The Qualys Threat Research Unit (TRU) discovered that the OpenSSH client
is vulnerable to a machine-in-the-middle attack if the VerifyHostKeyDNS
option is enabled (disabled by default).
The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy
leading to an information leak in the algorithm negotiation. This allows
man-in-the-middle attackers to target initial connection attempts (where
no host key for the server has been cached by the client). This issue was
assigned CVE-2020-14145. Completely removing this information leak would
cause other problems, but this update includes a partial mitigation by
preferring the default ordering if the user has a key that matches the
best-preference default algorithm.
In addition, the stretch update fixes a regression introduced with the
fix for CVE-2023-48795, which could cause segmentation faults under some
circumstances.

ELA-1324-1 openssh security update