Debian Security Advisories have been released to address security vulnerabilities in several packages. Firefox-esr has been updated to version 140.3.1 to fix connection errors with some sites, while GIMP has been updated to version 3.0.4-3+deb13u1 to prevent denial of service or arbitrary code execution from malformed images. Node-tar-fs has also been updated to versions 2.1.3-0+deb11u2, 2.1.3-0+deb12u2, and 3.0.9+~cs2.0.4-1+deb13u1 for the same reason, with a specific tarball allowing symlink validation bypass if the destination directory is predictable.

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4313-1] node-tar-fs security update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6003-2] firefox-esr update
[DSA 6013-1] node-tar-fs security update

Debian GNU/Linux 13 (Trixie):
[DSA 6014-1] gimp security update

[SECURITY] [DSA 6003-2] firefox-esr update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6003-2 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
September 28, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : firefox-esr

Firefox 140.3.1 has been released, which fixes connection errors with
some sites; if HTTP/3 connections failed, the fallback is now handled
more gracefully.

For the oldstable distribution (bookworm), these problems have been fixed
in version 140.3.1esr-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 140.3.1esr-1~deb13u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6014-1] gimp security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6014-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
September 28, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : gimp
CVE ID : CVE-2025-10920 CVE-2025-10922 CVE-2025-10923 CVE-2025-10924

Several vulnerabilities were discovered in GIMP, the GNU Image
Manipulation Program, which could result in denial of service or
potentially the execution of arbitrary code if malformed Farbfeld,
Wireless Bitmap, DICOM or Apple Icon images are opened.

For the stable distribution (trixie), these problems have been fixed in
version 3.0.4-3+deb13u1.

We recommend that you upgrade your gimp packages.

For the detailed security status of gimp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gimp

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6013-1] node-tar-fs security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6013-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
September 28, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : node-tar-fs
CVE ID : CVE-2025-59343

It was discovered that the symlink validation in node-tar-fs, a Node.js
module that provides filesystem-like access to tar files, could be
bypassed.

For the oldstable distribution (bookworm), this problem has been fixed
in version 2.1.3-0+deb12u2.

For the stable distribution (trixie), this problem has been fixed in
version 3.0.9+~cs2.0.4-1+deb13u1.

We recommend that you upgrade your node-tar-fs packages.

For the detailed security status of node-tar-fs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/node-tar-fs

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4313-1] node-tar-fs security update

From: Xavier Guimard [yadd@debian.org]
To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4313-1] node-tar-fs security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4313-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Yadd
September 27, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : node-tar-fs
Version : 2.1.3-0+deb11u2
CVE ID : CVE-2025-59343
Debian Bug :

node-tar-fs versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to
symlink validation bypass if the destination directory is predictable
with a specific tarball.

For Debian 11 bullseye, this problem has been fixed in version
2.1.3-0+deb11u2.

We recommend that you upgrade your node-tar-fs packages.

For the detailed security status of node-tar-fs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/node-tar-fs

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS