Debian has released several security advisories, including DLA-4300-1 for Shibboleth Service Provider (shibboleth-sp), which fixes a SQL vulnerability; DLA-4299-1 for Jetty 9 (jetty9), which resolves an HTTP/2 vulnerability; and ELA-1516-1 for ImageMagick (imagemagick), which addresses multiple vulnerabilities. The Shibboleth Service Provider advisory recommends upgrading to version 3.2.2+dfsg1-1+deb11u1, while the Jetty 9 advisory suggests updating to version 9.4.57-0+deb11u3. The ImageMagick advisory fixes issues, including memory leaks and format string bugs, in various functions of the software suite. Users are advised to upgrade their packages to address these vulnerabilities and prevent potential security risks.

Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1516-1 imagemagick security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4300-1] shibboleth-sp security update
[DLA 4299-1] jetty9 security update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6001-1] cjson security update

[SECURITY] [DLA 4300-1] shibboleth-sp security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4300-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
September 14, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : shibboleth-sp
Version : 3.2.2+dfsg1-1+deb11u1
CVE ID : CVE-2025-9943
Debian Bug : 1114506

Florian Stuhlmann discovered a SQL vulnerability in the ODBC plugin in the
Shibboleth Service Provider which may result in information leak.

For Debian 11 bullseye, this problem has been fixed in version
3.2.2+dfsg1-1+deb11u1.

We recommend that you upgrade your shibboleth-sp packages.

For the detailed security status of shibboleth-sp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/shibboleth-sp

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4299-1] jetty9 security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4299-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
September 14, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : jetty9
Version : 9.4.57-0+deb11u3
CVE ID : CVE-2025-5115
Debian Bug : 1111766

The MadeYouReset HTTP/2 vulnerability has been fixet in the Jetty
web server and servlet container.

For Debian 11 bullseye, this problem has been fixed in version
9.4.57-0+deb11u3.

We recommend that you upgrade your jetty9 packages.

For the detailed security status of jetty9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jetty9

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6001-1] cjson security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6001-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
September 14, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : cjson
CVE ID : CVE-2025-57052

It was discovered that cJSON, an ultralightweight JSON parser, performed
insufficient input sanitising, which could result in out-of-bounds
memory access.

For the oldstable distribution (bookworm), this problem has been fixed
in version 1.7.15-1+deb12u4.

For the stable distribution (trixie), this problem has been fixed in
version 1.7.18-3.1+deb13u1.

We recommend that you upgrade your cjson packages.

For the detailed security status of cjson please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/cjson

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

ELA-1516-1 imagemagick security update

Package : imagemagick
Version : 8:6.9.7.4+dfsg-11+deb9u22 (stretch)

Related CVEs :
CVE-2017-11531
CVE-2017-11532
CVE-2017-11534
CVE-2025-53014
CVE-2025-53019
CVE-2025-53101
CVE-2025-55154
CVE-2025-55212
CVE-2025-55298
CVE-2025-57803
CVE-2025-57807

Multiple vulnerabilities were fixed in imagemagick an image manipulation
software suite.

CVE-2017-11531
A crafted file in convert, can lead to a Memory Leak in the WriteHISTOGRAMImage()
function in coders/histogram.c.

CVE-2017-11532
A crafted file in convert, can lead to a Memory Leak in the WriteMPCImage()
function in coders/mpc.c.

CVE-2017-11534
A crafted file in convert, can lead to a Memory Leak in the lite_font_map()
function in coders/wmf.c.

CVE-2025-53014
A heap buffer overflow was found in the `InterpretImageFilename`
function. The issue stems from an off-by-one error that causes
out-of-bounds memory access when processing format strings
containing consecutive percent signs (`%%`).

CVE-2025-53019
ImageMagick's `magick stream` command, specifying multiple
consecutive `%d` format specifiers in a filename template
caused a memory leak

CVE-2025-53101
ImageMagick's `magick mogrify` command, specifying
multiple consecutive `%d` format specifiers in a filename
template caused internal pointer arithmetic to generate
an address below the beginning of the stack buffer,
resulting in a stack overflow through `vsnprintf()`.

CVE-2025-55154
The magnified size calculations in ReadOneMNGIMage
(in coders/png.c) are unsafe and can overflow,
leading to memory corruption.

CVE-2025-55212
passing a geometry string containing only a colon (":")
to montage -geometry leads GetGeometry() to set width/height
to 0. Later, ThumbnailImage() divides by these zero dimensions,
triggering a crash (SIGFPE/abort)

CVE-2025-55298
A format string bug vulnerability exists in InterpretImageFilename
function where user input is directly passed to FormatLocaleString
without proper sanitization. An attacker can overwrite arbitrary
memory regions, enabling a wide range of attacks from heap
overflow to remote code execution.

CVE-2025-57803
A 32-bit integer overflow in the BMP encoderâ??s scanline-stride
computation collapses bytes_per_line (stride) to a tiny
value while the per-row writer still emits 3 Ã? width bytes
for 24-bpp images. The row base pointer advances using the
(overflowed) stride, so the first row immediately writes
past its slot and into adjacent heap memory with
attacker-controlled bytes.

CVE-2025-57807
A security problem was found in SeekBlob(), which permits
advancing the stream offset beyond the current end without
increasing capacity, and WriteBlob(), which then expands by
quantum + length (amortized) instead of offset + length,
and copies to data + offset. When offset â?« extent, the
copy targets memory beyond the allocation, producing a
deterministic heap write on 64-bit builds. No 2��
arithmetic wrap, external delegates, or policy settings
are required.

ELA-1516-1 imagemagick security update