Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1627-1 python-django security update
Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1630-1 dcmtk security update
ELA-1629-1 apache-log4j2 security update
ELA-1628-1 edk2 security update
Debian GNU/Linux 11 (Buster) LTS:
[DLA 4458-1] python-django security update
Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6115-1] gimp security update
[DSA 6114-1] pyasn1 security update
ELA-1630-1 dcmtk security update
Package : dcmtk
Version : 3.6.4-2.1+deb10u5 (buster)
Related CVEs :
CVE-2025-14607
CVE-2025-14841
Two vulnerabilities have been addressed in DCMTK, a collection of
libraries and applications implementing large parts of the DICOM standard
for medical images.
CVE-2025-14607
Possible memory corruption caused by illegal attributes in datasets which
are processed by DcmByteString functions.
CVE-2025-14841
Invalid messages sent to dcmqrscp, the Image Central Test Node, may
trigger a segmentation fault due to a NULL pointer being de-referenced.ELA-1630-1 dcmtk security update
ELA-1629-1 apache-log4j2 security update
Package : apache-log4j2
Version : 2.17.1-1~deb10u2 (buster)
Related CVEs :
CVE-2025-68161
In Apache Log4j2, a Java Logging Framework, the Socket Appender does not
perform TLS hostname verification of the peer certificate, even when the
verifyHostName configuration attribute or the log4j2.sslVerifyHostName
system property is set to true. This issue may allow a man-in-the-middle
attacker to intercept or redirect log traffic under specific and hard to
exploit conditions.ELA-1629-1 apache-log4j2 security update
ELA-1628-1 edk2 security update
Package : edk2
Version : 2020.11-2+deb10u1 (buster)
Related CVEs :
CVE-2021-28216
CVE-2021-38575
CVE-2021-38576
CVE-2021-38578
CVE-2022-36763
CVE-2022-36764
CVE-2022-36765
CVE-2023-45229
CVE-2023-45230
CVE-2023-45231
CVE-2023-45232
CVE-2023-45233
CVE-2023-45234
CVE-2023-45235
CVE-2024-1298
CVE-2024-38796
Multiple security vulnerabilities have been fixed in EDK II, a modern,
feature-rich, cross-platform firmware development environment. Remotely
exploitable buffer overflows and out-of-bounds or infinite loop
vulnerabilities may lead to a denial of service or the execution of
arbitrary code.ELA-1628-1 edk2 security update
ELA-1627-1 python-django security update
Package : python-django
Version : 1:1.10.7-2+deb9u29 (stretch), 1:1.11.29-1+deb10u18 (buster)
Related CVEs :
CVE-2021-32052
CVE-2024-27351
CVE-2019-14232
CVE-2024-39614
CVE-2024-45231
Multiple vulnerabilities were discovered in Django, the Python-based web
development framework:
CVE-2021-32052: Header injection possibility since URLValidator accepted
newlines in input on Python 3.9.5+.
CVE-2024-27351: Fix a potential regular expression denial-of-service
(“ReDoS”) attack in django.utils.text.Truncator.words. This method
(with html=True) and the truncatewords_html template filter were subject
to a potential regular expression denial-of-service attack via a suitably
crafted string. This is, in part, a follow up to CVE-2019-14232 and
CVE-2023-43665.
CVE-2024-39614: Fix a potential denial-of-service in
django.utils.translation.get_supported_language_variant. This method was
subject to a potential DoS attack when used with very long strings
containing specific characters. To mitigate this vulnerability, the
language code provided to get_supported_language_variant is now parsed up
to a maximum length of 500 characters.
CVE-2024-45231: Potential user email enumeration via response status on
password reset. Due to unhandled email sending failures, the
django.contrib.auth.forms.PasswordResetForm class allowed remote attackers
to enumerate user emails by issuing password reset requests and observing the
outcomes. To mitigate this risk, exceptions occurring during password reset
email sending are now handled and logged using the django.contrib.auth
logger.
ELA-1627-1 python-django security update
[SECURITY] [DSA 6115-1] gimp security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6115-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 29, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : gimp
CVE ID : CVE-2025-15059
A buffer overflow was discovered in GIMP, the GNU Image Manipulation
Program, which could result in denial of service or potentially the
execution of arbitrary code if malformed PSP images are opened.
For the oldstable distribution (bookworm), this problem has been fixed
in version 2.10.34-1+deb12u7.
For the stable distribution (trixie), this problem has been fixed in
version 3.0.4-3+deb13u5.
We recommend that you upgrade your gimp packages.
For the detailed security status of gimp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gimp
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DLA 4458-1] python-django security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4458-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
January 28, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : python-django
Version : 2:2.2.28-1~deb11u11
CVE IDs : CVE-2024-39614 CVE-2024-45231 CVE-2024-42005 CVE-2024-41991 CVE-2024-39329 CVE-2024-41989 CVE-2024-39330 CVE-2025-6069
Multiple vulnerabilities were discovered in Django, the Python-based
web development framework:
- - CVE-2024-39614: Fix a potential denial-of-service in
django.utils.translation.get_supported_language_variant. This
method was subject to a potential DoS attack when used with very
long strings containing specific characters. To mitigate this
vulnerability, the language code provided to
get_supported_language_variant is now parsed up to a maximum length
of 500 characters.
- - CVE-2024-45231: Potential user email enumeration via response
status on password reset. Due to unhandled email sending failures,
the django.contrib.auth.forms.PasswordResetForm class allowed
remote attackers to enumerate user emails by issuing password reset
requests and observing the outcomes. To mitigate this risk,
exceptions occurring during password reset email sending are now
handled and logged using the django.contrib.auth logger.
- - CVE-2024-42005: Potential SQL injection in QuerySet.values() and
values_list(). QuerySet.values() and values_list() methods on
models with a JSONField are subject to SQL injection in column
aliases via a crafted JSON object key as a passed *arg.
- - CVE-2024-41991: Potential denial-of-service vulnerability in
django.utils.html.urlize() and AdminURLFieldWidget. The urlize and
urlizetrunc template filters, and the AdminURLFieldWidget widget,
are subject to a potential denial-of-service attack via certain
inputs with a very large number of Unicode characters.
- - CVE-2024-39329: Avoid a username enumeration vulnerability through
timing difference for users with unusable password. The
authenticate method of django.contrib.auth.backends.ModelBackend
method allowed remote attackers to enumerate users via a timing
attack involving login requests for users with unusable passwords.
- - CVE-2024-41989: Memory exhaustion in django.utils.numberformat. The
floatformat template filter is subject to significant memory
consumption when given a string representation of a number in
scientific notation with a large exponent.
- - CVE-2024-39330: Address a potential directory-traversal in
django.core.files.storage.Storage.save. Derived classes of this
method's base class which override generate_filename without
replicating the file path validations existing in the parent class
allowed for potential directory-traversal via certain inputs when
calling save(). Built-in Storage sub-classes were not affected by
this vulnerability.
In addition, the fix for CVE-2025-6069 in the python3.9 source
package (released as part of a suite of updates in DLA 4445-1) that
modified the html.parser.HTMLParser class in such a way that changed
the behaviour of Django's strip_tags() method in some edge cases that
were tested by Django's testsuite. As a result of this regression,
update the testsuite for the new expected results.
For Debian 11 bullseye, these problems have been fixed in version
2:2.2.28-1~deb11u11.
We recommend that you upgrade your python-django packages.
For the detailed security status of python-django please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-django
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 6114-1] pyasn1 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6114-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 28, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : pyasn1
CVE ID : CVE-2026-23490
Debian Bug : 1125753
It was discovered that pyasn1, a generic ASN.1 library for Python, is
prone to a denial of service vulnerability, which may result in memory
exhaustion from malformed OID/RELATIVE-OID with excessive continuation
octets.
For the oldstable distribution (bookworm), this problem has been fixed
in version 0.4.8-3+deb12u1.
For the stable distribution (trixie), this problem has been fixed in
version 0.6.1-1+deb13u1.
We recommend that you upgrade your pyasn1 packages.
For the detailed security status of pyasn1 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/pyasn1
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
