Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1348-2 python2.7 regression update
Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1463-1 mercurial security update
ELA-1464-1 gst-plugins-bad1.0 security update
ELA-1458-1 python-django security update
Debian GNU/Linux 10 (Buster) Extended LTS:
[DSA 5943-1] libblockdev security update
ELA-1465-1 libblockdev security update
ELA-1347-2 python2.7 regression update
Debian GNU/Linux 11 (Bullseye) Extended LTS:
[DLA 4220-1] konsole security update
[DLA 4221-1] libblockdev security update
[DLA 4219-1] gst-plugins-bad1.0 security update
ELA-1463-1 mercurial security update
Package : mercurial
Version : 4.0-1+deb9u3 (stretch), 4.8.2-1+deb10u2 (buster)
Related CVEs :
CVE-2025-2361
A cross-site scripting vulnerability was discovered in hgweb, the
integrated stand-alone web interface of the Mercurial version control
system.
This update also stabilizes the test suites.ELA-1463-1 mercurial security update
[SECURITY] [DLA 4220-1] konsole security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4220-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
June 17, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : konsole
Version : 4:20.12.3-1+deb11u1
CVE ID : CVE-2025-49091
Debian Bug : 1107672
It was discovered that there was a potential remote code execution
vulnerability in konsole, the X terminal emulator of the KDE desktop
environmne.t
This vulnerability could have been exploited when loading URLs from
scheme handlers such as a "ssh://" or "telnet://".
For Debian 11 bullseye, this problem has been fixed in version
4:20.12.3-1+deb11u1.
We recommend that you upgrade your konsole packages.
For the detailed security status of konsole please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/konsole
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4221-1] libblockdev security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4221-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
June 17, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : libblockdev
Version : 2.25-2+deb11u1
CVE ID : CVE-2025-6019
The Qualys Threat Research Unit (TRU) discovered a local privilege
escalation vulnerability in libblockdev, a library for manipulating
block devices. An "allow_active" user can exploit this flaw via the
udisks daemon to obtain the full privileges of the root user.
Details can be found in the Qualys advisory at
https://www.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt
Along with the libblockdev update, updated udisks2 packages are
released, to enforce that private mounts are mounted with
'nodev,nosuid'.
For Debian 11 bullseye, this problem has been fixed in version
2.25-2+deb11u1.
We recommend that you upgrade your libblockdev packages.
For the detailed security status of libblockdev please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libblockdev
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4219-1] gst-plugins-bad1.0 security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4219-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
June 17, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : gst-plugins-bad1.0
Version : 1.18.4-3+deb11u5
CVE ID : CVE-2025-3887
Debian Bug : 1106285
A stack buffer-overflow in the H.265 codec parser has been fixed in the
"bad" set of codecs for the GStreamer multimedia framework.
For Debian 11 bullseye, this problem has been fixed in version
1.18.4-3+deb11u5.
We recommend that you upgrade your gst-plugins-bad1.0 packages.
For the detailed security status of gst-plugins-bad1.0 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gst-plugins-bad1.0
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 5943-1] libblockdev security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5943-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 17, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : libblockdev
CVE ID : CVE-2025-6019
The Qualys Threat Research Unit (TRU) discovered a local privilege
escalation vulnerability in libblockdev, a library for manipulating
block devices. An "allow_active" user can exploit this flaw via the
udisks daemon to obtain the full privileges of the root user.
Details can be found in the Qualys advisory at
https://www.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt
Along with the libblockdev update, updated udisks2 packages are
released, to enforce that private mounts are mounted with
'nodev,nosuid'.
For the stable distribution (bookworm), this problem has been fixed in
version 2.28-2+deb12u1. The additional udisks2 hardening is applied in
version 2.9.4-4+deb12u1.
We recommend that you upgrade your libblockdev packages.
For the detailed security status of libblockdev please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/libblockdev
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
ELA-1465-1 libblockdev security update
Package : libblockdev
Version : 2.20-7+deb10u2 (buster)
Related CVEs :
CVE-2025-6019
The Qualys Threat Research Unit (TRU) discovered a local privilege
escalation vulnerability in libblockdev, a library for manipulating
block devices. An “allow_active” user can exploit this flaw via the
udisks daemon to obtain the full privileges of the root user.
Details can be found in the Qualys advisory at
https://www.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt
Along with the libblockdev update, updated udisks2 packages are
released, to enforce that private mounts are mounted with
’nodev,nosuid'.ELA-1465-1 libblockdev security update
ELA-1464-1 gst-plugins-bad1.0 security update
Package : gst-plugins-bad1.0
Version : 1.10.4-1+deb9u6 (stretch), 1.14.4-1+deb10u6 (buster)
Related CVEs :
CVE-2025-3887
A stack buffer-overflow in the H.265 codec parser has been fixed in the “bad” set of codecs for the GStreamer multimedia framework.ELA-1464-1 gst-plugins-bad1.0 security update
ELA-1348-2 python2.7 regression update
Package : python2.7
Version : 2.7.13-2+deb9u11 (stretch)
The fix for CVE-2023-27043 made the email.utils.getaddresses function
return results with an additional conversion from Python string object
(str) to Unicode object (unicode). This can lead to a change in
corner-case situations, as spotted in the Mercurial test suite. The
fix was adapted to restore the previous behavior.ELA-1348-2 python2.7 regression update
ELA-1347-2 python2.7 regression update
Package : python2.7
Version : 2.7.16-2+deb10u6 (buster)
The fix for CVE-2023-27043 made the email.utils.getaddresses function
return results with an additional conversion from Python string object
(str) to Unicode object (unicode). This can lead to a change in
corner-case situations, as spotted in the Mercurial test suite. The
fix was adapted to restore the previous behavior.ELA-1347-2 python2.7 regression update
ELA-1458-1 python-django security update
Package : python-django
Version : 1:1.10.7-2+deb9u26 (stretch), 1:1.11.29-1+deb10u15 (buster)
Related CVEs :
CVE-2023-43665
CVE-2024-24680
CVE-2025-32873
A number of vulnerabilities were found in Django, a Python-based
web-development framework:
CVE-2023-43665: Address a denial-of-service possibility in
django.utils.text.Truncator.
Following the fix for CVE-2019-14232, the regular expressions used in the
implementation of django.utils.text.Truncator’s chars() and words()
methods (with html=True) were revised and improved. However, these regular
expressions still exhibited linear backtracking complexity, so when given a
very long, potentially malformed HTML input, the evaluation would still be
slow, leading to a potential denial of service vulnerability. The chars()
and words() methods are used to implement the truncatechars_html and
truncatewords_html template filters, which were thus also vulnerable. The
input processed by Truncator, when operating in HTML mode, has been limited
to the first five million characters in order to avoid potential performance
and memory issues.
CVE-2024-24680: Potential denial-of-service in intcomma template filter.
The intcomma template filter was subject to a potential denial-of-service
attack when used with very long strings.
CVE-2025-32873: Denial-of-service possibility in strip_tags().
django.utils.html.strip_tags() would be slow to evaluate certain inputs
containing large sequences of incomplete HTML tags. This function is used to
implement the striptags template filter, which was therefore also
vulnerable. strip_tags() now raises a SuspiciousOperation exception if
it encounters an unusually large number of unclosed opening tags.
ELA-1458-1 python-django security update
