[DLA 4420-1] postgresql-13 security update
[DLA 4419-1] gst-plugins-good1.0 security update
ELA-1600-1 gst-plugins-base1.0 security update
[SECURITY] [DLA 4420-1] postgresql-13 security update
- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4420-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
December 26, 2025 https://wiki.debian.org/LTS
- -----------------------------------------------------------------------
Package : postgresql-13
Version : 13.23-0+deb11u1
CVE ID : CVE-2025-12817 CVE-2025-12818
A couple of vulnerabilities were discovered in postgresql-13, the
widely-popular database management system:
CVE-2025-12817
Missing authorization in PostgreSQL CREATE STATISTICS command
allows a table owner to achieve denial of service against other
CREATE STATISTICS users by creating in any schema. A later
CREATE STATISTICS for the same name, from a user having the
CREATE privilege, would then fail.
CVE-2025-12818
Integer wraparound in multiple PostgreSQL libpq client library
functions allows an application input provider or network peer
to cause libpq to undersize an allocation and write out-of-bounds
by hundreds of megabytes. This results in a segmentation fault
for the application using libpq.
For Debian 11 bullseye, these problems have been fixed in version
13.23-0+deb11u1.
We recommend that you upgrade your postgresql-13 packages.
For the detailed security status of postgresql-13 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/postgresql-13
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4419-1] gst-plugins-good1.0 security update
- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4419-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
December 25, 2025 https://wiki.debian.org/LTS
- -----------------------------------------------------------------------
Package : gst-plugins-good1.0
Version : 1.18.4-2+deb11u4
CVE ID : CVE-2025-47183 CVE-2025-47219
Multiple vulnerabilities were found in the plugins for the GStreamer
media framework leading to information disclosure.
CVE-2025-47183
In GStreamer, the isomp4 plugin's qtdemux_parse_tree function may
read past the end of a heap buffer while parsing an MP4 file,
leading to information disclosure.
CVE-2025-47219
In GStreamer, the isomp4 plugin's qtdemux_parse_trak function may
read past the end of a heap buffer while parsing an MP4 file,
possibly leading to information disclosure.
For Debian 11 bullseye, these problems have been fixed in version
1.18.4-2+deb11u4.
We recommend that you upgrade your gst-plugins-good1.0 packages.
For the detailed security status of gst-plugins-good1.0 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gst-plugins-good1.0
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1600-1 gst-plugins-base1.0 security update
Package : gst-plugins-base1.0
Version : 1.10.4-1+deb9u6 (stretch), 1.14.4-2+deb10u5 (buster)
Related CVEs :
CVE-2025-47806
CVE-2025-47807
CVE-2025-47808
Multiple vulnerabilities were found in the plugins for the GStreamer
media framework leading to a crash.
CVE-2025-47806
In GStreamer, the subparse plugin's parse_subrip_time function
may write data past the bounds of a stack buffer, leading to
a crash.
CVE-2025-47807
In GStreamer, the subparse plugin's subrip_unescape_formatting
function may dereference a NULL pointer while parsing a subtitle
file, leading to a crash.
CVE-2025-47808
In GStreamer, the subparse plugin's tmplayer_parse_line function may
dereference a NULL pointer while parsing a subtitle file, leading to
a crash.ELA-1600-1 gst-plugins-base1.0 security update
