Two security advisories have been issued for Debian GNU/Linux 11 (Bullseye) LTS, one for ruby-saml and another for libsndfile. The ruby-saml advisory fixes a Denial of Service (DoS) vulnerability caused by large SAML responses, which has been resolved in version 1.11.0-1+deb11u3. The libsndfile advisory addresses two vulnerabilities: CVE-2022-33065, which allows for DoS or unspecified impacts through signed integers overflow, and CVE-2024-50612, which causes memory corruption due to an out-of-bounds read in a specially crafted input file. It is recommended that users upgrade their packages to the latest versions (ruby-saml 1.11.0-1+deb11u3 and libsndfile 1.0.31-2+deb11u1) to resolve these security issues.

[DLA 4288-1] ruby-saml security update
[DLA-4287-1] libsndfile security update

[SECURITY] [DLA 4288-1] ruby-saml security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4288-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
September 01, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : ruby-saml
Version : 1.11.0-1+deb11u3
CVE ID : CVE-2025-54572

DoS with large SAML responses has been fixed in ruby-saml,
a library implementing the client side of SAML authorization
for the Ruby interpreter.

For Debian 11 bullseye, this problem has been fixed in version
1.11.0-1+deb11u3.

We recommend that you upgrade your ruby-saml packages.

For the detailed security status of ruby-saml please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-saml

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA DLA-4287-1] libsndfile security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4287-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Paride Legovini
August 31, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : libsndfile
Version : 1.0.31-2+deb11u1
CVE ID : CVE-2022-33065 CVE-2024-50612

Two vulnerabilities have been fixed in the audio data read/write library
libsndfile.

CVE-2022-33065

Multiple signed integers overflow in function au_read_header in src/au.c
and in functions mat4_open and mat4_read_header in src/mat4.c in
Libsndfile, allows an attacker to cause Denial of Service or other
unspecified impacts.

CVE-2024-50612

Out-of-bounds read in ogg_vorbis.c vorbis_analysis_wrote() can cause
memory corruption when parsing a specially crafted input file. This
vulnerability leads to Denial of Service (DoS).

For Debian 11 bullseye, these problems have been fixed in version
1.0.31-2+deb11u1.

We recommend that you upgrade your libsndfile packages.

For the detailed security status of libsndfile please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libsndfile

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS