Debian GNU/Linux 8 (Jessie) and 9 (Stretch) Extended LTS:
ELA-1429-1 openjdk-8 security update
Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1428-1 openjdk-11 security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4174-1] openjdk-11 security update
[DLA 4173-1] openjdk-17 security update
[DLA 4172-1] firefox-esr security update
[DLA 4175-1] mongo-c-driver security update
[SECURITY] [DLA 4174-1] openjdk-11 security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4174-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
May 20, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : openjdk-11
Version : 11.0.27+6-1~deb11u1
CVE ID : CVE-2025-21587 CVE-2025-30691 CVE-2025-30698
Several vulnerabilities have been discovered in the OpenJDK Java
runtime, which may result in denial of service, information disclosure
or bypass of sandbox restrictions.
For Debian 11 bullseye, these problems have been fixed in version
11.0.27+6-1~deb11u1.
We recommend that you upgrade your openjdk-11 packages.
For the detailed security status of openjdk-11 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-11
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4173-1] openjdk-17 security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4173-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
May 20, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : openjdk-17
Version : 17.0.15+6-1~deb11u1
CVE ID : CVE-2025-21587 CVE-2025-30691 CVE-2025-30698
Several vulnerabilities have been discovered in the OpenJDK Java
runtime, which may result in denial of service, information disclosure
or bypass of sandbox restrictions.
For Debian 11 bullseye, these problems have been fixed in version
17.0.15+6-1~deb11u1.
We recommend that you upgrade your openjdk-17 packages.
For the detailed security status of openjdk-17 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-17
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4172-1] firefox-esr security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4172-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
May 20, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : firefox-esr
Version : 128.10.1esr-1~deb11u1
CVE ID : CVE-2025-4083 CVE-2025-4087 CVE-2025-4091 CVE-2025-4093
CVE-2025-4918 CVE-2025-4919
Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code or a bypass of sandbox restrictions.
For Debian 11 bullseye, these problems have been fixed in version
128.10.1esr-1~deb11u1.
We recommend that you upgrade your firefox-esr packages.
For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1429-1 openjdk-8 security update
Package : openjdk-8
Version : 8u452-ga-1~deb8u1 (jessie), 8u452-ga-1~deb9u1 (stretch)
Related CVEs :
CVE-2025-21587
CVE-2025-30691
CVE-2025-30698
Several vulnerabilities have been discovered in the OpenJDK Java
runtime, which may result in denial of service, information disclosure
or bypass of sandbox restrictions.ELA-1429-1 openjdk-8 security update
ELA-1428-1 openjdk-11 security update
Package : openjdk-11
Version : 11.0.27+6-1~deb10u1 (buster)
Related CVEs :
CVE-2025-21587
CVE-2025-30691
CVE-2025-30698
Several vulnerabilities have been discovered in the OpenJDK Java
runtime, which may result in denial of service, information disclosure
or bypass of sandbox restrictions.ELA-1428-1 openjdk-11 security update
[SECURITY] [DLA 4175-1] mongo-c-driver security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4175-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Roberto C. SΓ‘nchez
May 20, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : mongo-c-driver
Version : 1.17.6-1+deb11u1
CVE ID : CVE-2021-32050 CVE-2023-0437 CVE-2024-6381 CVE-2024-6383
CVE-2025-0755
Multiple vulnerabilities have been discovered in the MongoDB C Driver.
CVE-2021-32050
Some MongoDB Drivers may erroneously publish events containing
authentication-related data to a command listener configured by an
application. The published events may contain security-sensitive
data when specific authentication-related commands are executed.
Without due care, an application may inadvertently expose this
sensitive information, e.g., by writing it to a log file. This issue
only arises if an application enables the command listener feature
(this is not enabled by default).
CVE-2023-0437
When calling bson_utf8_validate on some inputs a loop with an exit
condition that cannot be reached may occur, i.e. an infinite loop.
CVE-2024-6381
The bson_strfreev function in the MongoDB C driver library may be
susceptible to an integer overflow where the function will try to
free memory at a negative offset. This may result in memory
corruption.
CVE-2024-6383
The bson_string_append function in MongoDB C Driver may be
vulnerable to a buffer overflow where the function might attempt to
allocate too small of buffer and may lead to memory corruption of
neighbouring heap memory.
CVE-2025-0755
The various bson_append functions in the MongoDB C driver library
may be susceptible to buffer overflow when performing operations
that could result in a final BSON document which exceeds the maximum
allowable size (INT32_MAX), resulting in a segmentation fault and
possible application crash.
For Debian 11 bullseye, these problems have been fixed in version
1.17.6-1+deb11u1.
We recommend that you upgrade your mongo-c-driver packages.
For the detailed security status of mongo-c-driver please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mongo-c-driver
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
