Debian has released security updates for two packages: pdfminer and vlc. The pdfminer update, version 20200726-1+deb11u2 for Debian GNU/Linux 11 (Bullseye) LTS, fixes a vulnerability that could allow arbitrary code execution when processing a malicious PDF file. The vlc update, version 3.0.23-0+deb12u1 for Debian GNU/Linux 12 (Bookworm) and 3.0.23-0+deb13u1 for 13 (Trixie), addresses multiple vulnerabilities that could result in denial of service or arbitrary code execution when opening a malformed video file.

[DLA 4374-2] pdfminer security update
[DSA 6096-1] vlc security update

[SECURITY] [DLA 4374-2] pdfminer security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4374-2 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
January 08, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : pdfminer
Version : 20200726-1+deb11u2
CVE ID : CVE-2025-64512
Debian Bug : 1120642

It was previously discovered that there was a potential arbitrary
code execution in pdfminer, a tool for extracting information from
PDF documents. A malicious, zipped pickle file might have contained
code that might have been executed when the PDF was processed.

Although a fix for this was released in pdfminer version
20200726-1+deb11u2 (via DLA-4374-1), upstream subsequently determined
that this mitigation was insufficient and a more comprehensive
mitigation that replaces the pickle-based mechanism entirely was
applied instead.

For Debian 11 bullseye, this updated fix has been released in
version 20200726-1+deb11u2.

We recommend that you upgrade your pdfminer packages.

For the detailed security status of pdfminer please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pdfminer

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6096-1] vlc security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6096-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 08, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : vlc
CVE ID : not yet available

Multiple vulnerabilities were discovered in the VLC media player, which
could result in denial of service or potentially the execution of
arbitrary code if a malformed video file is opened.

For the oldstable distribution (bookworm), this problem has been fixed
in version 3.0.23-0+deb12u1.

For the stable distribution (trixie), this problem has been fixed in
version 3.0.23-0+deb13u1.

We recommend that you upgrade your vlc packages.

For the detailed security status of vlc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/vlc

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/