Multiple Debian security advisories (DSA) were issued, addressing vulnerabilities in various packages, including Linux kernel, pdfminer, tryton-sao, rails, cups-filters, libsdl2, and net-snmp. These updates fix issues related to privilege escalation, denial of service, information leaks, cross-site scripting (XSS), and out-of-bounds reads or writes. The affected packages have been updated with new versions that include security patches, including CVE-2025-21861, CVE-2025-39929, and others.

Debian GNU/Linux 9 (Stretch) and 10 (Buster) ELTS:
ELA-1583-1 linux-6.1 security update
ELA-1583-1 linux-6.1 security update
ELA-1582-1 erlang security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4383-1] rails security update
[DLA 4380-1] cups-filters security update
[DLA 4382-1] libsdl2 security update
[DLA 4381-1] net-snmp security update
[DLA 4379-1] linux-6.1 security update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6062-1] pdfminer security update
[DSA 6061-1] tryton-sao security update

ELA-1583-1 linux-6.1 security update

Package : linux-6.1
Version : 6.1.158-1~deb9u1 (stretch), 6.1.158-1~deb10u1 (buster)

Related CVEs :
CVE-2024-47704
CVE-2024-57924
CVE-2024-58240
CVE-2025-23143
CVE-2025-23160
CVE-2025-37931
CVE-2025-37968
CVE-2025-38322
CVE-2025-38347
CVE-2025-38491
CVE-2025-38502
CVE-2025-38552
CVE-2025-38614
CVE-2025-38670
CVE-2025-38676
CVE-2025-38677
CVE-2025-38679
CVE-2025-38680
CVE-2025-38681
CVE-2025-38683
CVE-2025-38684
CVE-2025-38685
CVE-2025-38687
CVE-2025-38691
CVE-2025-38693
CVE-2025-38694
CVE-2025-38695
CVE-2025-38696
CVE-2025-38697
CVE-2025-38698
CVE-2025-38699
CVE-2025-38700
CVE-2025-38701
CVE-2025-38702
CVE-2025-38706
CVE-2025-38707
CVE-2025-38708
CVE-2025-38711
CVE-2025-38712
CVE-2025-38713
CVE-2025-38714
CVE-2025-38715
CVE-2025-38721
CVE-2025-38723
CVE-2025-38724
CVE-2025-38725
CVE-2025-38727
CVE-2025-38728
CVE-2025-38729
CVE-2025-38732
CVE-2025-38735
CVE-2025-38736
CVE-2025-39673
CVE-2025-39675
CVE-2025-39676
CVE-2025-39681
CVE-2025-39682
CVE-2025-39683
CVE-2025-39684
CVE-2025-39685
CVE-2025-39686
CVE-2025-39687
CVE-2025-39689
CVE-2025-39691
CVE-2025-39692
CVE-2025-39693
CVE-2025-39694
CVE-2025-39697
CVE-2025-39701
CVE-2025-39702
CVE-2025-39703
CVE-2025-39706
CVE-2025-39709
CVE-2025-39710
CVE-2025-39713
CVE-2025-39714
CVE-2025-39715
CVE-2025-39716
CVE-2025-39718
CVE-2025-39719
CVE-2025-39724
CVE-2025-39736
CVE-2025-39737
CVE-2025-39738
CVE-2025-39742
CVE-2025-39743
CVE-2025-39749
CVE-2025-39752
CVE-2025-39756
CVE-2025-39757
CVE-2025-39759
CVE-2025-39760
CVE-2025-39766
CVE-2025-39770
CVE-2025-39772
CVE-2025-39773
CVE-2025-39776
CVE-2025-39782
CVE-2025-39783
CVE-2025-39787
CVE-2025-39788
CVE-2025-39790
CVE-2025-39794
CVE-2025-39795
CVE-2025-39798
CVE-2025-39800
CVE-2025-39801
CVE-2025-39806
CVE-2025-39808
CVE-2025-39812
CVE-2025-39813
CVE-2025-39817
CVE-2025-39819
CVE-2025-39823
CVE-2025-39824
CVE-2025-39825
CVE-2025-39826
CVE-2025-39827
CVE-2025-39828
CVE-2025-39835
CVE-2025-39838
CVE-2025-39839
CVE-2025-39841
CVE-2025-39842
CVE-2025-39843
CVE-2025-39844
CVE-2025-39845
CVE-2025-39846
CVE-2025-39847
CVE-2025-39848
CVE-2025-39849
CVE-2025-39853
CVE-2025-39857
CVE-2025-39860
CVE-2025-39864
CVE-2025-39865
CVE-2025-39866
CVE-2025-40300

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

ELA-1583-1 linux-6.1 security update

[SECURITY] [DSA 6062-1] pdfminer security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6062-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 25, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : pdfminer
CVE ID : CVE-2025-64512
Debian Bug : 1120642

A vulnerability was discovered in pdfminer, a tool for extracting
information from PDF documents, which may result in the execution of
arbitrary code if a specially crafted PDF file is processed.

For the oldstable distribution (bookworm), this problem has been fixed
in version 20221105+dfsg-1.1~deb12u1.

For the stable distribution (trixie), this problem has been fixed in
version 20221105+dfsg-1.1~deb13u1.

We recommend that you upgrade your pdfminer packages.

For the detailed security status of pdfminer please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/pdfminer

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6061-1] tryton-sao security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6061-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 25, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : tryton-sao
CVE ID : not yet available

Abdulfatah Abdillahi discovered a cross-site scripting vulnerability in
the web client of the Tryton application platform.

For the oldstable distribution (bookworm), this problem has been fixed
in version 6.0.28+ds1-2+deb12u2.

For the stable distribution (trixie), this problem has been fixed in
version 7.0.28+ds1-1+deb13u2.

We recommend that you upgrade your tryton-sao packages.

For the detailed security status of tryton-sao please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tryton-sao

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4383-1] rails security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4383-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
November 25, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : rails
Version : 2:6.0.3.7+dfsg-2+deb11u3
CVE ID : CVE-2022-44566 CVE-2023-28362 CVE-2023-38037 CVE-2024-41128
CVE-2024-47887 CVE-2024-47888 CVE-2024-47889 CVE-2024-54133
Debian Bug : 1030050 1051057 1051058 1085376 1089755

rails a popular server side application framework was affected by multiple
vulnerabilities.

CVE-2022-44566

Given a value outside the range for a 64bit signed integer type
PostgreSQL will treat the column type as numeric. Comparing
integer values against numeric values can result in a slow
sequential scan.
This behavior is configurable via
ActiveRecord::Base.raise_int_wider_than_64bit which
defaults to true.

CVE-2023-28362

The redirect_to method in Rails allows provided values
to contain characters which are not legal in an HTTP header
value. This results in the potential for downstream services
which enforce RFC compliance on HTTP response headers to remove
the assigned Location header.

CVE-2023-38037

ActiveSupport::EncryptedFile writes contents that will be
encrypted to a temporary file. The temporary file's permissions
are defaulted to the user's current `umask` settings, meaning
that it's possible for other users on the same system to read
the contents of the temporary file. Attackers that have access
to the file system could possibly read the contents of this
temporary file while a user is editing it

CVE-2024-41128

Action Pack is a framework for handling and responding
to web requests. There is a possible ReDoS vulnerability in
the query parameter filtering routines of Action Dispatch.
Carefully crafted query parameters can cause query parameter
filtering to take an unexpected amount of time, possibly
resulting in a DoS vulnerability.

CVE-2024-47887

Action Pack is a framework for handling and responding
to web requests. There is a possible ReDoS vulnerability in
Action Controller's HTTP Token authentication.
For applications using HTTP Token authentication via
`authenticate_or_request_with_http_token` or similar,
a carefully crafted header may cause header parsing
to take an unexpected amount of time, possibly resulting
in a DoS vulnerability

CVE-2024-47888

Action Text brings rich text content and editing to Rails.
There is a possible ReDoS vulnerability in the
`plain_text_for_blockquote_node helper` in Action Text.
Carefully crafted text can cause the `plain_text_for_blockquote_node`
helper to take an unexpected amount of time,
possibly resulting in a DoS vulnerability.

CVE-2024-47889

Action Mailer is a framework for designing email service layers.
There is a possible ReDoS vulnerability in the block_format helper
in Action Mailer. Carefully crafted text can cause the block_format
helper to take an unexpected amount of time, possibly
resulting in a DoS vulnerability.

CVE-2024-54133

Action Pack is a framework for handling and responding
to web requests. There is a possible Cross Site Scripting (XSS)
vulnerability in the `content_security_policy` helper.
Applications which set Content-Security-Policy (CSP) headers dynamically
from untrusted user input may be vulnerable to carefully crafted
inputs being able to inject new directives into the CSP.
This could lead to a bypass of the CSP and its protection
against XSS and other attacks

For Debian 11 bullseye, these problems have been fixed in version
2:6.0.3.7+dfsg-2+deb11u3.

We recommend that you upgrade your rails packages.

For the detailed security status of rails please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/rails

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4380-1] cups-filters security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4380-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
November 25, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : cups-filters
Version : 1.28.7-1+deb11u4
CVE ID : CVE-2025-57812 CVE-2025-64503 CVE-2025-64524

Several issues have been found in cups-filters, which provides additional
CUPS filters, that are not part of the CUPS project.
All issues are related to out of bounds read or writes or a heap buffer
overflow.

For Debian 11 bullseye, these problems have been fixed in version
1.28.7-1+deb11u4.

We recommend that you upgrade your cups-filters packages.

For the detailed security status of cups-filters please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/cups-filters

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4382-1] libsdl2 security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4382-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
November 25, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : libsdl2
Version : 2.0.14+dfsg2-3+deb11u2
CVE ID : CVE-2022-4743

A security vulnerability has been discovered in SDL2, the Simple
DirectMedia Layer library. This issue is related to memory leak, which
might result in a denial of service.

For Debian 11 bullseye, this problem has been fixed in version
2.0.14+dfsg2-3+deb11u2.

We recommend that you upgrade your libsdl2 packages.

For the detailed security status of libsdl2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libsdl2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4381-1] net-snmp security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4381-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
November 25, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : net-snmp
Version : 5.9+dfsg-4+deb11u2
CVE ID : CVE-2022-44792 CVE-2022-44793

menglong2234 discovered NULL pointer exceptions in net-snmp, a suite of
Simple Network Management Protocol applications, which could could
result in denial of service.

CVE-2022-44792

A remote attacker (with write access) could trigger a NULL
dereference while handling ipDefaultTTL via a crafted UDP packet.

CVE-2022-44793

A remote attacker (with write access) could trigger a NULL
dereference while handling ipv6IpForwarding via a crafted UDP
packet.

For Debian 11 bullseye, these problems have been fixed in version
5.9+dfsg-4+deb11u2.

We recommend that you upgrade your net-snmp packages.

For the detailed security status of net-snmp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/net-snmp

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4379-1] linux-6.1 security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4379-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Ben Hutchings
November 25, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : linux-6.1
Version : 6.1.158-1~deb11u1
CVE ID : CVE-2025-21861 CVE-2025-39929 CVE-2025-39931 CVE-2025-39934
CVE-2025-39937 CVE-2025-39938 CVE-2025-39942 CVE-2025-39943
CVE-2025-39944 CVE-2025-39945 CVE-2025-39946 CVE-2025-39949
CVE-2025-39951 CVE-2025-39953 CVE-2025-39955 CVE-2025-39957
CVE-2025-39964 CVE-2025-39967 CVE-2025-39968 CVE-2025-39969
CVE-2025-39970 CVE-2025-39971 CVE-2025-39972 CVE-2025-39973
CVE-2025-39977 CVE-2025-39978 CVE-2025-39980 CVE-2025-39982
CVE-2025-39985 CVE-2025-39986 CVE-2025-39987 CVE-2025-39988
CVE-2025-39993 CVE-2025-39994 CVE-2025-39995 CVE-2025-39996
CVE-2025-39998 CVE-2025-40001 CVE-2025-40006 CVE-2025-40008
CVE-2025-40010 CVE-2025-40011 CVE-2025-40013 CVE-2025-40018
CVE-2025-40019 CVE-2025-40020 CVE-2025-40021 CVE-2025-40022
CVE-2025-40026 CVE-2025-40027 CVE-2025-40029 CVE-2025-40030
CVE-2025-40032 CVE-2025-40035 CVE-2025-40036 CVE-2025-40040
CVE-2025-40042 CVE-2025-40043 CVE-2025-40044 CVE-2025-40048
CVE-2025-40049 CVE-2025-40051 CVE-2025-40053 CVE-2025-40055
CVE-2025-40056 CVE-2025-40060 CVE-2025-40062 CVE-2025-40068
CVE-2025-40070 CVE-2025-40078 CVE-2025-40080 CVE-2025-40081
CVE-2025-40084 CVE-2025-40085 CVE-2025-40087 CVE-2025-40088
CVE-2025-40092 CVE-2025-40093 CVE-2025-40094 CVE-2025-40095
CVE-2025-40096 CVE-2025-40099 CVE-2025-40100 CVE-2025-40103
CVE-2025-40104 CVE-2025-40105 CVE-2025-40106 CVE-2025-40107
CVE-2025-40109 CVE-2025-40111 CVE-2025-40112 CVE-2025-40115
CVE-2025-40116 CVE-2025-40118 CVE-2025-40120 CVE-2025-40121
CVE-2025-40123 CVE-2025-40124 CVE-2025-40125 CVE-2025-40126
CVE-2025-40127 CVE-2025-40134 CVE-2025-40140 CVE-2025-40141
CVE-2025-40153 CVE-2025-40154 CVE-2025-40156 CVE-2025-40167
CVE-2025-40171 CVE-2025-40173 CVE-2025-40176 CVE-2025-40178
CVE-2025-40179 CVE-2025-40183 CVE-2025-40186 CVE-2025-40187
CVE-2025-40188 CVE-2025-40190 CVE-2025-40193 CVE-2025-40194
CVE-2025-40197 CVE-2025-40198 CVE-2025-40200 CVE-2025-40201
CVE-2025-40202 CVE-2025-40204 CVE-2025-40205 CVE-2025-40207

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

For Debian 11 bullseye, these problems have been fixed in version
6.1.158-1~deb11u1. This version additionally includes many more bug
fixes from stable updates 6.1.154-6.1.158.

We recommend that you upgrade your linux-6.1 packages.

For the detailed security status of linux-6.1 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/linux-6.1

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

ELA-1583-1 linux-6.1 security update

Package : linux-6.1
Version : 6.1.158-1~deb9u1 (stretch), 6.1.158-1~deb10u1 (buster)

Related CVEs :
CVE-2025-40207
CVE-2025-40205
CVE-2025-40204
CVE-2025-40202
CVE-2025-40201
CVE-2025-40200
CVE-2025-40198
CVE-2025-40197
CVE-2025-40194
CVE-2025-40193
CVE-2025-40190
CVE-2025-40188
CVE-2025-40187
CVE-2025-40186
CVE-2025-40183
CVE-2025-40179
CVE-2025-40178
CVE-2025-40176
CVE-2025-40173
CVE-2025-40171
CVE-2025-40167
CVE-2025-40156
CVE-2025-40154
CVE-2025-40153
CVE-2025-40141
CVE-2025-40140
CVE-2025-40134
CVE-2025-40127
CVE-2025-40126
CVE-2025-40125
CVE-2025-40124
CVE-2025-40123
CVE-2025-40121
CVE-2025-40120
CVE-2025-40118
CVE-2025-40116
CVE-2025-40115
CVE-2025-40112
CVE-2025-40111
CVE-2025-40109
CVE-2025-40107
CVE-2025-40106
CVE-2025-40105
CVE-2025-40104
CVE-2025-40103
CVE-2025-40100
CVE-2025-40099
CVE-2025-40096
CVE-2025-40095
CVE-2025-40094
CVE-2025-40093
CVE-2025-40092
CVE-2025-40088
CVE-2025-40087
CVE-2025-40085
CVE-2025-40084
CVE-2025-40081
CVE-2025-40080
CVE-2025-40078
CVE-2025-40070
CVE-2025-40068
CVE-2025-40062
CVE-2025-40060
CVE-2025-40056
CVE-2025-40055
CVE-2025-40053
CVE-2025-40051
CVE-2025-40049
CVE-2025-40048
CVE-2025-40044
CVE-2025-40043
CVE-2025-40042
CVE-2025-40040
CVE-2025-40036
CVE-2025-40035
CVE-2025-40032
CVE-2025-40030
CVE-2025-40029
CVE-2025-40027
CVE-2025-40026
CVE-2025-40022
CVE-2025-40021
CVE-2025-40020
CVE-2025-40019
CVE-2025-40018
CVE-2025-40013
CVE-2025-40011
CVE-2025-40010
CVE-2025-40008
CVE-2025-40006
CVE-2025-40001
CVE-2025-39998
CVE-2025-39996
CVE-2025-39995
CVE-2025-39994
CVE-2025-39993
CVE-2025-39988
CVE-2025-39987
CVE-2025-39986
CVE-2025-39985
CVE-2025-39982
CVE-2025-39980
CVE-2025-39978
CVE-2025-39977
CVE-2025-39973
CVE-2025-39972
CVE-2025-39971
CVE-2025-39970
CVE-2025-39969
CVE-2025-39968
CVE-2025-39967
CVE-2025-39964
CVE-2025-39957
CVE-2025-39955
CVE-2025-39953
CVE-2025-39951
CVE-2025-39949
CVE-2025-39946
CVE-2025-39945
CVE-2025-39944
CVE-2025-39943
CVE-2025-39942
CVE-2025-39938
CVE-2025-39937
CVE-2025-39934
CVE-2025-39931
CVE-2025-39929
CVE-2025-21861

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

ELA-1583-1 linux-6.1 security update

ELA-1582-1 erlang security update

Package : erlang
Version : 1:19.2.1+dfsg-2+really23.3.4.18-0+deb9u5 (stretch), 1:22.2.7+dfsg-1+deb10u4 (buster)

Related CVEs :
CVE-2025-4748
CVE-2025-48038
CVE-2025-48039
CVE-2025-48041

Multiple vulnerabilities were fixed in Erlang a concurrent, real-time,
distributed functional language.

CVE-2025-4748

Improper Limitation of a Pathname to a Restricted Directory (‘Path
Traversal’) vulnerability in Erlang OTP (stdlib modules) allows
Absolute Path Traversal, File Manipulation. This vulnerability is
associated with program files lib/stdlib/src/zip.erl and program
routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2
unless the memory option is passed.

CVE-2025-48038, CVE-2025-48039, CVE-2025-48041

Allocation of Resources Without Limits or Throttling vulnerability
in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation,
Resource Leak Exposure, Flooding. These vulnerabilities are
associated with program files lib/ssh/src/ssh_sftpd.erl.

ELA-1582-1 erlang security update