[DSA 5973-1] linux security update
[DSA 5972-1] openjdk-17 security update
[DLA 4270-1] apache2 security update
[DLA 4271-1] linux-6.1 security update
[SECURITY] [DSA 5973-1] linux security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5973-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
August 12, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : linux
CVE ID : CVE-2024-36350 CVE-2024-36357 CVE-2024-36913 CVE-2024-41013
CVE-2024-56758 CVE-2024-57883 CVE-2025-21816 CVE-2025-22119
CVE-2025-27558 CVE-2025-37958 CVE-2025-38000 CVE-2025-38001
CVE-2025-38003 CVE-2025-38004 CVE-2025-38031 CVE-2025-38034
CVE-2025-38035 CVE-2025-38037 CVE-2025-38040 CVE-2025-38043
CVE-2025-38044 CVE-2025-38048 CVE-2025-38051 CVE-2025-38052
CVE-2025-38058 CVE-2025-38061 CVE-2025-38062 CVE-2025-38063
CVE-2025-38065 CVE-2025-38066 CVE-2025-38067 CVE-2025-38068
CVE-2025-38071 CVE-2025-38072 CVE-2025-38074 CVE-2025-38075
CVE-2025-38077 CVE-2025-38078 CVE-2025-38079 CVE-2025-38083
CVE-2025-38084 CVE-2025-38085 CVE-2025-38086 CVE-2025-38088
CVE-2025-38090 CVE-2025-38097 CVE-2025-38100 CVE-2025-38102
CVE-2025-38103 CVE-2025-38107 CVE-2025-38108 CVE-2025-38111
CVE-2025-38112 CVE-2025-38113 CVE-2025-38115 CVE-2025-38118
CVE-2025-38119 CVE-2025-38120 CVE-2025-38122 CVE-2025-38124
CVE-2025-38126 CVE-2025-38131 CVE-2025-38135 CVE-2025-38136
CVE-2025-38138 CVE-2025-38142 CVE-2025-38143 CVE-2025-38145
CVE-2025-38146 CVE-2025-38147 CVE-2025-38148 CVE-2025-38151
CVE-2025-38153 CVE-2025-38154 CVE-2025-38157 CVE-2025-38158
CVE-2025-38159 CVE-2025-38160 CVE-2025-38161 CVE-2025-38163
CVE-2025-38165 CVE-2025-38166 CVE-2025-38167 CVE-2025-38170
CVE-2025-38173 CVE-2025-38174 CVE-2025-38180 CVE-2025-38181
CVE-2025-38183 CVE-2025-38184 CVE-2025-38185 CVE-2025-38190
CVE-2025-38191 CVE-2025-38193 CVE-2025-38194 CVE-2025-38197
CVE-2025-38198 CVE-2025-38200 CVE-2025-38202 CVE-2025-38211
CVE-2025-38212 CVE-2025-38214 CVE-2025-38215 CVE-2025-38218
CVE-2025-38219 CVE-2025-38222 CVE-2025-38225 CVE-2025-38226
CVE-2025-38227 CVE-2025-38229 CVE-2025-38230 CVE-2025-38231
CVE-2025-38236 CVE-2025-38239 CVE-2025-38245 CVE-2025-38249
CVE-2025-38251 CVE-2025-38257 CVE-2025-38259 CVE-2025-38260
CVE-2025-38262 CVE-2025-38263 CVE-2025-38273 CVE-2025-38275
CVE-2025-38277 CVE-2025-38280 CVE-2025-38282 CVE-2025-38285
CVE-2025-38286 CVE-2025-38293 CVE-2025-38298 CVE-2025-38300
CVE-2025-38304 CVE-2025-38305 CVE-2025-38310 CVE-2025-38312
CVE-2025-38313 CVE-2025-38319 CVE-2025-38320 CVE-2025-38323
CVE-2025-38324 CVE-2025-38326 CVE-2025-38328 CVE-2025-38331
CVE-2025-38332 CVE-2025-38334 CVE-2025-38336 CVE-2025-38337
CVE-2025-38342 CVE-2025-38344 CVE-2025-38345 CVE-2025-38346
CVE-2025-38348 CVE-2025-38350 CVE-2025-38352 CVE-2025-38354
CVE-2025-38362 CVE-2025-38363 CVE-2025-38364 CVE-2025-38365
CVE-2025-38371 CVE-2025-38375 CVE-2025-38377 CVE-2025-38380
CVE-2025-38382 CVE-2025-38384 CVE-2025-38385 CVE-2025-38386
CVE-2025-38387 CVE-2025-38389 CVE-2025-38391 CVE-2025-38393
CVE-2025-38395 CVE-2025-38396 CVE-2025-38399 CVE-2025-38400
CVE-2025-38401 CVE-2025-38403 CVE-2025-38404 CVE-2025-38406
CVE-2025-38409 CVE-2025-38410 CVE-2025-38412 CVE-2025-38415
CVE-2025-38416 CVE-2025-38418 CVE-2025-38419 CVE-2025-38420
CVE-2025-38422 CVE-2025-38424 CVE-2025-38425 CVE-2025-38428
CVE-2025-38430 CVE-2025-38437 CVE-2025-38439 CVE-2025-38441
CVE-2025-38443 CVE-2025-38444 CVE-2025-38445 CVE-2025-38448
CVE-2025-38451 CVE-2025-38455 CVE-2025-38456 CVE-2025-38457
CVE-2025-38458 CVE-2025-38459 CVE-2025-38460 CVE-2025-38461
CVE-2025-38462 CVE-2025-38464 CVE-2025-38465 CVE-2025-38466
CVE-2025-38467 CVE-2025-38468 CVE-2025-38470 CVE-2025-38471
CVE-2025-38472 CVE-2025-38473 CVE-2025-38474 CVE-2025-38476
CVE-2025-38477 CVE-2025-38478 CVE-2025-38480 CVE-2025-38481
CVE-2025-38482 CVE-2025-38483 CVE-2025-38485 CVE-2025-38487
CVE-2025-38488 CVE-2025-38494 CVE-2025-38495 CVE-2025-38497
CVE-2025-38498 CVE-2025-38499
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
For the oldstable distribution (bookworm), these problems have been fixed
in version 6.1.147-1.
We recommend that you upgrade your linux packages.
For the detailed security status of linux please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/linux
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 5972-1] openjdk-17 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5972-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
August 12, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : openjdk-17
CVE ID : CVE-2025-30749 CVE-2025-30754 CVE-2025-50059 CVE-2025-50106
Several vulnerabilities have been discovered in the OpenJDK Java runtime,
which may result in denial of service, information disclosure or weakened
TLS connections.
For the oldstable distribution (bookworm), these problems have been fixed
in version 17.0.16+8-1~deb12u1.
We recommend that you upgrade your openjdk-17 packages.
For the detailed security status of openjdk-17 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-17
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DLA 4270-1] apache2 security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4270-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
August 12, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : apache2
Version : 2.4.65-1~deb11u1
CVE ID : CVE-2024-42516 CVE-2024-43204 CVE-2024-43394 CVE-2024-47252
CVE-2025-23048 CVE-2025-49630 CVE-2025-49812 CVE-2025-53020
CVE-2025-54090
Multiple vulnerabilities have been addressed in Apache,
a widely used web server.
Please note that the fix for CVE-2025-23048, included in this DLA,
may cause some SSL-enabled websites to encounter the error AH02032.
Additional details are provided at the end of this advisory.
CVE-2024-42516
HTTP response splitting in the core of Apache HTTP Server allows an
attacker who can manipulate the Content-Type response headers of
applications hosted or proxied by the server can split the HTTP response
CVE-2024-43204
A SSRF (Server Side Request Forgery) was found in Apache HTTP Server
with mod_proxy loaded allows an attacker to
send outbound proxy requests to a URL controlled by the attacker.
This attack requires an unlikely configuration where mod_headers
is configured to modify the Content-Type request or response header with a
value provided in the HTTP request
CVE-2024-43394
A Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows
allows to potentially leak NTLM hashes to a malicious server via mod_rewrite
or apache expressions that pass unvalidated request input.
CVE-2024-47252
Insufficient escaping of user-supplied data in mod_ssl allows an untrusted
SSL/TLS client to insert escape characters into log files in some
configurations. In a logging configuration where CustomLog is used with
"%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as
SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and
unsanitized data provided by the client may appear in log files.
CVE-2025-23048
An access control bypass by trusted clients is possible using TLS 1.3
session resumption. Configurations are affected when mod_ssl is
configured for multiple virtual hosts, with each restricted to a
different set of trusted client certificates
(for example with a different SSLCACertificateFile/Path setting).
In such a case, a client trusted to access one virtual host may be able to
access another virtual host, if SSLStrictSNIVHostCheck is not enabled
in either virtual host.
CVE-2025-49630
In certain proxy configurations, a denial of service attack against
Apache HTTP Server can be triggered by untrusted clients causing
an assertion in mod_proxy_http2. Configurations affected are a
reverse proxy is configured for an HTTP/2 backend, with
ProxyPreserveHost set to "on".
CVE-2025-49812
In some mod_ssl configurations on Apache HTTP server, an HTTP
desynchronisation attack allows a man-in-the-middle attacker
to hijack an HTTP session via a TLS upgrade. Only configurations
using "SSLEngine optional" to enable TLS upgrades are affected.
Support for TLS upgrade was removed.
CVE-2025-53020
A late Release of Memory after Effective Lifetime vulnerability
was found in Apache HTTP Server.
CVE-2025-54090
A bug in Apache HTTP Server 2.4.64 results in all
"RewriteCond expr ..." tests evaluating as "true"
For Debian 11 bullseye, these problems have been fixed in version
2.4.65-1~deb11u1.
Note that following the resolution of CVE-2025-23048,
some SSL-enabled websites may begin encountering
the error (AH02032):
Misdirected Request:
The client needs a new connection for this request as the
requested host name does not match the Server Name Indication
(SNI) in use for this connection.
This behavior is particularly noticeable with AWS Application
Load Balancers. Although they support intelligent SNI handling,
they do not (as of this writing) relay SNI data to the target
server, resulting in failed connections when hostnames don???t align.
Without an SNI provided by the client, there is nothing httpd
can do to determine which vhost/configuration should be
used to provide the correct certificate (and TLS authentication
eventually) whenever multiple vhosts listen on the same IP:port.
That's because reading the HTTP Host header necessarily has to
happen after the TLS handshake/auth/decryption (and later
renegotiation is not an option with TLSv1.3).
So those connections fall back to the first vhost declared on
the IP:port for the TLS handshake part, and if the request
Host header finally matches a different vhost with a different
TLS configuration it's rejected with AH02032.
Before 2.4.64 the check was not accurate and would allow that,
with security implications.
As a workaround, you may (after a risk analysis) generate a
wildcard certificate. If you???re managing multiple domains,
consolidate them into a single certificate by including each
wildcard domain as an alias. Then, update the Apache configuration
to reference this unified certificate.
Another possible workaround is to configure each virtual host to
listen on a separate port. This approach avoids SNI-related issues
by ensuring that each vhost is uniquely addressed through its own
connection endpoint, thereby allowing distinct TLS configurations
without ambiguity.
This error may also stem from a misconfigured HAProxy setup.
In such cases, enabling dynamic SNI handling on HAProxy might be
necessary to ensure that the correct hostname is passed through
during the TLS handshake. After risk analysis, it could be done
by using "sni req.hdr(Host)" directive.
We recommend that you upgrade your apache2 packages.
For the detailed security status of apache2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/apache2
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4271-1] linux-6.1 security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4271-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Ben Hutchings
August 13, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : linux-6.1
Version : 6.1.140-1~deb11u1
CVE ID : CVE-2024-26618 CVE-2024-26783 CVE-2024-26807 CVE-2024-28956
CVE-2024-35790 CVE-2024-36903 CVE-2024-36927 CVE-2024-43840
CVE-2024-46751 CVE-2024-53203 CVE-2024-53209 CVE-2024-57945
CVE-2025-21645 CVE-2025-21839 CVE-2025-21931 CVE-2025-22062
CVE-2025-37819 CVE-2025-37890 CVE-2025-37897 CVE-2025-37901
CVE-2025-37903 CVE-2025-37905 CVE-2025-37909 CVE-2025-37911
CVE-2025-37912 CVE-2025-37913 CVE-2025-37914 CVE-2025-37915
CVE-2025-37917 CVE-2025-37921 CVE-2025-37923 CVE-2025-37924
CVE-2025-37927 CVE-2025-37928 CVE-2025-37929 CVE-2025-37930
CVE-2025-37932 CVE-2025-37936 CVE-2025-37947 CVE-2025-37948
CVE-2025-37949 CVE-2025-37951 CVE-2025-37953 CVE-2025-37959
CVE-2025-37961 CVE-2025-37962 CVE-2025-37963 CVE-2025-37964
CVE-2025-37967 CVE-2025-37969 CVE-2025-37970 CVE-2025-37972
CVE-2025-37990 CVE-2025-37991 CVE-2025-37992 CVE-2025-37994
CVE-2025-37995 CVE-2025-37997 CVE-2025-37998 CVE-2025-38005
CVE-2025-38007 CVE-2025-38009 CVE-2025-38015 CVE-2025-38018
CVE-2025-38020 CVE-2025-38023 CVE-2025-38024 CVE-2025-38027
CVE-2025-38094 CVE-2025-38095 CVE-2025-38177
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
For Debian 11 bullseye, these problems have been fixed in version
6.1.140-1~deb11u1. This additionally includes many more bug fixes from
stable updates 6.1.138-6.1.140.
We recommend that you upgrade your linux-6.1 packages.
For the detailed security status of linux-6.1 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/linux-6.1
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
