[DLA 4427-1] php-dompdf security update
[DLA 4428-1] mediawiki security update
[SECURITY] [DLA 4427-1] php-dompdf security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4427-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Abhijith PA
December 30, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : php-dompdf
Version : 0.6.2+dfsg-3.1+deb11u1
CVE ID : CVE-2021-3838 CVE-2022-2400
Two vulnerabilities were discovered in php-dompdf, a PHP library to
convert HTML to PDF.
CVE-2021-3838
php-dompdf is vulnerable to PHAR deserialization due to a lack of
checking on the protocol before passing it into the
file_get_contents() function. An attacker who can upload files of
any type to the server can pass in the phar:// protocol to
unserialize the uploaded file and instantiate arbitrary PHP
objects. This can lead to remote code execution, especially when
DOMPdf is used with frameworks with documented POP chains like
Laravel or vulnerable developer code
CVE-2022-2400
php-dompdf was vulnerable to External Control of File Name bypassing
unallowed access verification.
For Debian 11 bullseye, these problems have been fixed in version
0.6.2+dfsg-3.1+deb11u1.
We recommend that you upgrade your php-dompdf packages.
For the detailed security status of php-dompdf please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php-dompdf
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4428-1] mediawiki security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4428-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
December 30, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : mediawiki
Version : 1:1.35.13-1+deb11u6
CVE ID : CVE-2025-67475 CVE-2025-67478 CVE-2025-67479 CVE-2025-67480
CVE-2025-67481 CVE-2025-67482 CVE-2025-67484
Multiple security vulnerabilities were found in mediawiki, a website
engine for collaborative work, which could lead to information
disclosure, denial of service or privilege escalation.
CVE-2025-67475
Square brackets in autocomment links were not always escaped.
CVE-2025-67478
Commas not separating values in RFC 2822 style headers were not
escaped, hence could be interpreted downstream as value separators.
CVE-2025-67479
Underscore and wide underscore were not always sanitized in `data-*`
attribute names.
CVE-2025-67480
ApiQueryRevisionsBase did not check for read permissions for the
target page.
CVE-2025-67481
Insufficient `style` attribute sanitation in client-side messages
(jqueryMsg).
As such attributes are difficult to sanitize properly (the logic
needs to be updated constantly as new CSS features are developed by
browser vendors) and their use cases in client-side messages are
extremely rare, they are no longer allowed.
If needed, `class` and `id` are still allowed, so these elements can
be targeted by normal stylesheets.
CVE-2025-67482
Scribunto extension: Segfault in unpack() with large integers
affecting some builds of Lua.
CVE-2025-67484
Cross-site scripting (XSS) vulnerability via xslt option for users
with the "editinterface" permission. The xslt option is now
disabled by default. If the former unsafe behavior is desired, is
can be re-enabled by setting `$wgEnableUnsafeXsltOption` to true.
For Debian 11 bullseye, these problems have been fixed in version
1:1.35.13-1+deb11u6.
We recommend that you upgrade your mediawiki packages.
For the detailed security status of mediawiki please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mediawiki
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
