Multiple security updates have been released for Debian GNU/Linux to address vulnerabilities in various packages, including strongswan, wordpress, dcmtk, gimp, geographiclib, pure-ftpd, and ruby-rack. The vulnerabilities include issues that can let attackers run harmful code or get access to private information, such as buffer overflows, stored Cross-Site Scripting (XSS) attacks, and crashes of programs. The affected packages have been updated with new versions that fix the identified vulnerabilities, and users are advised to upgrade their packages as soon as possible. The security advisories provide detailed information about the vulnerabilities, including CVE IDs, affected versions, and recommended actions for users to take to ensure their systems remain secure.

Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1566-1 pure-ftpd security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4359-1] strongswan security update
[DLA 4358-1] wordpress security update
[DLA 4363-1] dcmtk security update
[DLA 4362-1] gimp security update
[DLA 4361-1] geographiclib security update
[DLA 4360-1] pure-ftpd security update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6048-1] ruby-rack security update

[SECURITY] [DLA 4359-1] strongswan security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4359-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
November 03, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : strongswan
Version : 5.9.1-1+deb11u5
CVE ID : CVE-2025-62291

Xu Biang discovered a buffer overflow bug in the eap-mschapv2 plugin of
strongSwan, an IKE/IPsec suite.

The eap-mschapv2 plugin does not correctly check the length of an
EAP-MSCHAPv2 Failure Request packet on the client, which can cause an
integer underflow that leads to a crash, and a heap-based buffer overflow
that's potentially exploitable for remote code execution.

For Debian 11 bullseye, this problem has been fixed in version
5.9.1-1+deb11u5.

We recommend that you upgrade your strongswan packages.

For the detailed security status of strongswan please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/strongswan

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4358-1] wordpress security update

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4358-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
November 02, 2025 https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package : wordpress
Version : 5.7.14+dfsg1-0+deb11u1
CVE ID : CVE-2024-6307 CVE-2024-31111 CVE-2025-58246
CVE-2025-58674
Debian Bug : 1074486 1117047

Several security vulnerabilities have been discovered in Wordpress,
a popular content management framework.

CVE-2024-6307

WordPress Core is vulnerable to stored Cross-Site Scripting via
the HTML API due to insufficient input sanitization and output
escaping on URLs. This makes it possible for authenticated
attackers, with contributor-level access and above, to inject
arbitrary web scripts in pages that will execute whenever a user
accesses an injected page.

CVE-2024-31111

Improper neutralization of input during web gage generation (XSS or
"Cross-site Scripting") vulnerability in Automattic WordPress allows
Stored XSS.

CVE-2025-58246

Insertion of sensitive information into sent data vulnerability in
WordPress allows retrieval of embedded sensitive data.

CVE-2025-58674

Improper neutralization of input during web page generation
("Cross-site Scripting") vulnerability in WordPress allows
Stored XSS.

For Debian 11 bullseye, these problems have been fixed in version
5.7.14+dfsg1-0+deb11u1.

We recommend that you upgrade your wordpress packages.

For the detailed security status of wordpress please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/wordpress

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4363-1] dcmtk security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4363-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
November 03, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : dcmtk
Version : 3.6.5-1+deb11u5
CVE ID : CVE-2020-36855 CVE-2022-4981 CVE-2025-9732
Debian Bug : 1113993

Several vulnerabilities have been fixed in DCMTK, a collection of
libraries and applications implementing large parts of the DICOM standard
for medical images.

CVE-2025-9732

Processing of an invalid DICOM image with a Photometric
Interpretation of "YBR_FULL" and a Planar Configuration of "1" where
the number of pixels stored does not match the expected number of pixels.
This may lead to memory corruption.

CVE-2022-4981

Various issues in the dcmqrscp configuration file parser that could cause
application crashes when reading a malformed configuration file, due to
insufficient checks of the input data.

CVE-2020-36855

Stack-based overflow in the dcmqrscp config parser.

For Debian 11 bullseye, these problems have been fixed in version
3.6.5-1+deb11u5.

We recommend that you upgrade your dcmtk packages.

For the detailed security status of dcmtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/dcmtk

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4362-1] gimp security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4362-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
November 03, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : gimp
Version : 2.10.22-4+deb11u4
CVE ID : CVE-2025-10934
Debian Bug : 1119661

GIMP, the GNU Image Manipulation Program, is vulnerable to a heap-based
buffer overflow when parsing XWD files. This vulnerability allows remote
attackers to execute arbitrary code on affected installations of GIMP and
requires the target to visit a malicious page or open a malicious file.

For Debian 11 bullseye, this problem has been fixed in version
2.10.22-4+deb11u4.

We recommend that you upgrade your gimp packages.

For the detailed security status of gimp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gimp

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4361-1] geographiclib security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4361-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
November 03, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : geographiclib
Version : 1.51-1+deb11u1
CVE ID : CVE-2025-60751

Geographiclib is a C++ library to solve geodesic problems. A stack buffer
overflow occurs when the GeoConvert tool receives a crafted input. The overflow
occurs because the program does not properly validate an internal index,
allowing an out-of-bounds write on the stack. An attacker can exploit this
vulnerability to hijack the program's control flow by overwriting a return
address to point to a libc function and execute arbitrary code.

For Debian 11 bullseye, this problem has been fixed in version
1.51-1+deb11u1.

We recommend that you upgrade your geographiclib packages.

For the detailed security status of geographiclib please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/geographiclib

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4360-1] pure-ftpd security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4360-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Santiago Ruano Rincón
November 03, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : pure-ftpd
Version : 1.0.49-4.1+deb11u1
CVE ID : CVE-2021-40524
Debian Bug : 993810

It was discovered that pure-ftpd, a secure and efficient FTP server,
incorrectly verified the maximum file size in the quota mechanism, allowing
adversaries to upload files of unbounded size. This may lead to denial of
service or a server hang.

For Debian 11 bullseye, this problem has been fixed in version
1.0.49-4.1+deb11u1.

We recommend that you upgrade your pure-ftpd packages.

For the detailed security status of pure-ftpd please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pure-ftpd

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6048-1] ruby-rack security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6048-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 03, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ruby-rack
CVE ID : CVE-2025-61770 CVE-2025-61771 CVE-2025-61772
CVE-2025-61780 CVE-2025-61919

Multiple security issues were found in Rack, an interface for developing
web applications in Ruby, which could result in denial of service or
proxy bypass.

For the oldstable distribution (bookworm), these problems have been fixed
in version 2.2.20-0+deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 3.1.18-1~deb13u1.

We recommend that you upgrade your ruby-rack packages.

For the detailed security status of ruby-rack please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-rack

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

ELA-1566-1 pure-ftpd security update

Package : pure-ftpd
Version : 1.0.47-3+deb10u1 (buster)

Related CVEs :
CVE-2019-20176
CVE-2020-9274
CVE-2020-9365
CVE-2021-40524

Multiple vulnerabilities were discovered in pure-ftpd, a secure and efficient FTP server,
that could lead to data corruption, information disclosure or program crash.

CVE-2019-20176:
Stack exhaustion in the listdir function in ls.c.

CVE-2020-9274:
Uninitialized pointer in the diraliases linked list.

CVE-2020-9365:
Out-of-bounds (OOB) read in the pure_strcmp function in utils.c.

CVE-2021-40524:
Incorrect max_filesize quota mechanism in the server allows adversaries to
upload files of unbounded size.

ELA-1566-1 pure-ftpd security update