Recent Debian security notices highlight critical vulnerabilities affecting popular software like mapserver, VLC, and strongswan. The updates for mapserver specifically target logic flaws that bypass control checks alongside SQL injection risks discovered in XML query directives. A separate issue affects the VLC media player where a remote attacker could exploit an out-of-bounds read through the MMS protocol handler.

Debian GNU/Linux 9 (Stretch) and 10 (Buster) ELTS:
ELA-1661-1 mapserver security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4506-1] mapserver security update
[DLA 4507-1] vlc security update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6176-1] strongswan security update

[SECURITY] [DLA 4506-1] mapserver security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4506-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
March 23, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : mapserver
Version : 7.6.2-1+deb11u1
CVE ID : CVE-2021-32062 CVE-2025-59431
Debian Bug : 988208

Vulnerabilities were found in mapserver, a CGI-based framework for
Internet map services, which could lead to security controls bypass or
SQL injection.

CVE-2021-32062

Due to a logic flaw associated with processing map parameter, it is
possible to specify an arbitrary mapfile that bypasses the
`MS_MAP_NO_PATH` and `MS_MAP_PATTERN` security control checks.

CVE-2025-59431

Alwin Warringa discovered that XML Filter Query directive
`PropertyName` is vulnerably to Boolean-based SQL injection,
allowing to manipulate backend database queries via crafted XML
Filter Query directives.

For Debian 11 bullseye, these problems have been fixed in version
7.6.2-1+deb11u1.

We recommend that you upgrade your mapserver packages.

For the detailed security status of mapserver please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mapserver

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

ELA-1661-1 mapserver security update

Package : mapserver
Version : 7.0.4-2+deb9u1 (stretch), 7.2.2-1+deb10u1 (buster)

Related CVEs :
CVE-2021-32062
CVE-2025-59431

Vulnerabilities were found in mapserver, a CGI-based framework for
Internet map services, which could lead to security controls bypass or
SQL injection.

CVE-2021-32062

Due to a logic flaw associated with processing map parameter, it is
possible to specify an arbitrary mapfile that bypasses the
MS_MAP_NO_PATH and MS_MAP_PATTERN security control checks.

CVE-2025-59431

Alwin Warringa discovered that XML Filter Query directive
PropertyName is vulnerably to Boolean-based SQL injection,
allowing to manipulate backend database queries via crafted XML
Filter Query directives.


In addition, this update fixes memory and heap-buffer-overflow issues in
the lexer.

ELA-1661-1 mapserver security update

[SECURITY] [DLA 4507-1] vlc security update

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4507-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
March 23, 2026 https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package : vlc
Version : 3.0.23-0+deb11u1
CVE ID : CVE-2025-51602

An out-of-bounds read vulnerability was discovered in VLC media player,
a multimedia player and streamer. The MMS protocol handler in mmstu.c
did not properly validate boundaries when processing a crafted 0x01
response from an MMS server. A remote attacker controlling a malicious
MMS server could exploit this to cause an out-of-bounds read, resulting
in a denial of service (application crash) and potentially leaking
sensitive memory contents.

For Debian 11 bullseye, this problem has been fixed in version
3.0.23-0+deb11u1.

We recommend that you upgrade your vlc packages.

For the detailed security status of vlc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/vlc

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6176-1] strongswan security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6176-1 security@debian.org
https://www.debian.org/security/ Yves-Alexis Perez
March 23, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : strongswan
CVE ID : CVE-2026-25075

Kazuma Matsumoto discovered an integer overflow bug in the EAP-TTLS plugin of
strongSwan, an IKE/IPsec suite.

The EAP-TTLS plugin doesn't check the length field in the header of
attribute-value pairs (AVPs) tunneled in EAP-TTLS, which can cause an integer
underflow that may lead to a crash. An unauthenticated attacker could exploit
this for a DoS attack by sending a crafted message.

For the oldstable distribution (bookworm), this problem has been fixed
in version 5.9.8-5+deb12u3.

For the stable distribution (trixie), this problem has been fixed in
version 6.0.1-6+deb13u4.

We recommend that you upgrade your strongswan packages.

For the detailed security status of strongswan please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/strongswan

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/