Multiple security updates have been released for Debian GNU/Linux 9, 10, and 11, addressing vulnerabilities in several packages. The updates include fixes for open-vm-tools (CVE-2025-41244), tiff (CVE-2024-13978 and CVE-2025-9900), openssl (CVE-2025-9230, CVE-2025-9231, and CVE-2025-9232), modsecurity-apache (CVE-2025-54571), libcpanel-json-xs-perl (CVE-2025-40928), and libjson-xs-perl (CVE-2025-40928). These vulnerabilities could potentially allow for local privilege escalation, denial of service, or arbitrary code execution.

Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1531-1 tiff security update
ELA-1532-1 libjson-xs-pelr security update

Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1529-1 modsecurity-apache security update
ELA-1533-1 libcpanel-json-xs-perl security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4316-1] open-vm-tools security update
[DSA 6015-1] openssl security update

[SECURITY] [DLA 4316-1] open-vm-tools security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4316-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
September 30, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : open-vm-tools
Version : 2:11.2.5-2+deb11u5
CVE ID : CVE-2025-41244

An issue was found in open-vm-tools, a set of tools for VMs hosted on
VMware. The issue is related to a local privilege escalation in
combination with the get-versions.sh script, shipped with the service
discovery plugin (open-vm-tools-sdmp).

For Debian 11 bullseye, this problem has been fixed in version
2:11.2.5-2+deb11u5.

We recommend that you upgrade your open-vm-tools packages.

For the detailed security status of open-vm-tools please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/open-vm-tools

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

ELA-1531-1 tiff security update

Package : tiff
Version : 4.0.8-2+deb9u14 (stretch), 4.1.0+git191117-2~deb10u11 (buster)

Related CVEs :
CVE-2024-13978
CVE-2025-9900

Multiple vulnerabilities were fixed in tiff, a library and tools
providing support for the Tag Image File Format (TIFF).

CVE-2024-13978

Affected by this vulnerability is the function t2p_read_tiff_init of
the file tools/tiff2pdf.c of the component fax2ps. The manipulation
leads to null pointer dereference. The attack needs to be approached
locally. The complexity of an attack is rather high. The exploitation
appears to be difficult.

CVE-2025-9900

This vulnerability is a “write-what-where” condition, triggered
when the library processes a specially crafted TIFF image file.
By providing an abnormally large image height value in the file’s
metadata, an attacker can trick the library into writing
attacker-controlled color data to an arbitrary memory location.
This memory corruption can be exploited to cause a denial of
service (application crash) or to achieve arbitrary code execution
with the permissions of the user.

ELA-1531-1 tiff security update

[SECURITY] [DSA 6015-1] openssl security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6015-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
October 01, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openssl
CVE ID : CVE-2025-9230 CVE-2025-9231 CVE-2025-9232

Multiple vulnerabilities have been discovered in OpenSSL, a Secure
Sockets Layer toolkit, which may result in denial of service or
information leaks.

Additional details can be found in the upstream advisory:
https://openssl-library.org/news/secadv/20250930.txt

For the oldstable distribution (bookworm), these problems have been fixed
in version 3.0.17-1~deb12u3.

For the stable distribution (trixie), these problems have been fixed in
version 3.5.1-1+deb13u1.

We recommend that you upgrade your openssl packages.

For the detailed security status of openssl please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/openssl

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

ELA-1529-1 modsecurity-apache security update

Package : modsecurity-apache
Version : 2.9.3-3+deb11u5~deb10u1 (buster)

Related CVEs :
CVE-2025-54571

Cross-site scripting due to insufficient return value handling has been
fixed in modsecurity-apache, a module for the Apache webserver to
tighten Web application security.

ELA-1529-1 modsecurity-apache security update

ELA-1533-1 libcpanel-json-xs-perl security update

Package : libcpanel-json-xs-perl
Version : 4.09-1+deb10u1 (buster)

Related CVEs :
CVE-2025-40928

A vulnerability has been fixed in libcpanel-json-xs-perl, a Perl module for serialising to JSON.

CVE-2025-40928
Integer buffer overflow causing a segfault when parsing crafted JSON,
enabling denial-of-service attacks or other unspecified impact.

ELA-1533-1 libcpanel-json-xs-perl security update

ELA-1532-1 libjson-xs-pelr security update

Package : libjson-xs-perl
Version : 3.030-1+deb9u1 (stretch), 3.040-1+deb10u1 (buster)

Related CVEs :
CVE-2025-40928

A vulnerability has been fixed in libjson-xs-perl, a Perl module which does C/XS-accelerated manipulation of JSON-formatted data.
CVE-2025-40928
Integer buffer overflow causing a segfault when parsing crafted JSON,
enabling denial-of-service attacks or other unspecified impact.

ELA-1532-1 libjson-xs-pelr security update