Three security advisories have been issued for various Debian packages: Squid, MPlayer, and Ceph. The first advisory, DLA-4312-1 for Debian GNU/Linux 11 (Bullseye) LTS, deals with three security problems in Squid, including issues that could cause the service to crash and a possible heap buffer. The second advisory, ELA-1527-1 for Debian GNU/Linux 9 (Stretch) ELTS, updates the mplayer package to fix several buffer overflows and divide-by-zero errors. Meanwhile, the third advisory, ELA-1526-1 for both Debian GNU/Linux 9 (Stretch) and 10 (Buster) ELTS, addresses a vulnerability in Ceph that allows an unprivileged user to escalate to root privileges by modifying directory permissions.

[DLA 4312-1] squid security update
ELA-1527-1 mplayer security update
ELA-1526-1 ceph security update

[SECURITY] [DLA 4312-1] squid security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4312-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
September 27, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : squid
Version : 4.13-10+deb11u5
CVE ID : CVE-2023-5824 CVE-2023-46728 CVE-2025-54574
Debian Bug : 1055249

Three security issues were discovered in the Squid proxy caching server,
which could result in the execution of arbitrary code, information
disclosure or denial of service.

CVE-2023-5824

A flaw was found in Squid. The limits applied for validation of HTTP
response headers are applied before caching. However,
Squid may grow a cached HTTP response header beyond the configured
maximum size, causing a stall or crash of the worker process when a
large header is retrieved from the disk cache, resulting in a denial
of service.

CVE-2023-46728

Due to a NULL pointer dereference bug Squid is vulnerable to a
Denial of Service attack against Squid's Gopher gateway.
The obsolete gopher protocol, even if non functional,
was always available and enabled.
Responses triggering this bug are possible to be received
from any gopher server, even those without malicious intent.
Gopher support (already non functional) has been removed to fix
this CVE.
Note that gopher was deprecated and major browsers removed it,
long time ago.

CVE-2025-54574

Squid is vulnerable to a heap buffer overflow and possible remote
code execution (RCE) attack when processing URN due to incorrect
buffer management.

For Debian 11 bullseye, these problems have been fixed in version
4.13-10+deb11u5.

We recommend that you upgrade your squid packages.

For the detailed security status of squid please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/squid

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

ELA-1527-1 mplayer security update

Package : mplayer
Version : 2:1.3.0-6+deb9u1 (stretch)

Related CVEs :
CVE-2022-38850
CVE-2022-38851
CVE-2022-38855
CVE-2022-38858
CVE-2022-38860
CVE-2022-38861
CVE-2022-38863
CVE-2022-38864
CVE-2022-38865
CVE-2022-38866

Several issues have been found in mplayer, a movie player for Unix-like systems. They are basically related to buffer overflows, divide by zero or out of bounds read in different parts of the code.

ELA-1527-1 mplayer security update

ELA-1526-1 ceph security update

Package : ceph
Version : 10.2.11-2+deb9u3 (stretch), 12.2.11+dfsg1-2.1+deb10u2 (buster)

Related CVEs :
CVE-2025-52555

Ceph a distributed file system was affected by a vulnerability.
An unprivileged user can escalate to root privileges in a ceph-fuse mounted CephFS by chmod 777 a directory owned by root to gain access.
The result of this is that a user could read, write and execute to any directory as long as they chmod 777 it. This impacts confidentiality, integrity, and availability.

ELA-1526-1 ceph security update