Debian has released security updates for two packages: Shibboleth-SP (DSA 5994-1) for both Debian GNU/Linux 12 (Bookworm) and 13 (Trixie) and modsecurity-apache (DLA 4294-1) for Debian GNU/Linux 11 (Bullseye) LTS. The Shibboleth-SP update fixes an SQL vulnerability in its ODBC plugin, which could result in an information leak. The modsecurity-apache update fixes a cross-site scripting issue caused by insufficient return value handling.

[DSA 5994-1] shibboleth-sp security update
[DLA 4294-1] modsecurity-apache security update

[SECURITY] [DSA 5994-1] shibboleth-sp security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-5994-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
September 07, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : shibboleth-sp
Debian Bug : 1114506

Florian Stuhlmann discovered a SQL vulnerability in the ODBC plugin in the
Shibboleth Service Provider which may result in information leak.

For additional information please refer to the upstream advisory at
https://shibboleth.net/community/advisories/secadv_20250903.txt

For the oldstable distribution (bookworm), this problem has been fixed
in version 3.4.1+dfsg-2+deb12u1.

For the stable distribution (trixie), this problem has been fixed in
version 3.5.0+dfsg-2+deb13u1.

We recommend that you upgrade your shibboleth-sp packages.

For the detailed security status of shibboleth-sp please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/shibboleth-sp

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4294-1] modsecurity-apache security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4294-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
September 07, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : modsecurity-apache
Version : 2.9.3-3+deb11u5
CVE ID : CVE-2025-54571
Debian Bug : 1110480

Cross-site scripting due to insufficient return value handling has been
fixed in modsecurity-apache, a module for the Apache webserver to
tighten Web application security.

For Debian 11 bullseye, this problem has been fixed in version
2.9.3-3+deb11u5.

We recommend that you upgrade your modsecurity-apache packages.

For the detailed security status of modsecurity-apache please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/modsecurity-apache

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS