Debian GNU/Linux 8 (Jessie), 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1476-1 sudo security update
Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1475-1 gst-plugins-good1.0 security update
ELA-1478-1 rar security update
Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1474-1 catdoc security update
Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1479-1 commons-vfs security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4234-1] catdoc security update
[DLA 4235-1] sudo security update
[DLA 4236-1] mbedtls security update
Debian GNU/Linux 12 (Bookworm):
[DSA 5954-1] sudo security update
[SECURITY] [DLA 4234-1] catdoc security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4234-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
June 30, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : catdoc
Version : 1:0.95-4.1+deb11u1
CVE ID : CVE-2024-48877 CVE-2024-52035 CVE-2024-54028
Debian Bug : 1107168
Multiple vulnerabilities have been fixed in catdoc, a text extractor for
MS-Office files.
CVE-2024-48877
memory corruption
CVE-2024-52035
integer overflow
CVE-2024-54028
integer underflow
For Debian 11 bullseye, these problems have been fixed in version
1:0.95-4.1+deb11u1.
We recommend that you upgrade your catdoc packages.
For the detailed security status of catdoc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/catdoc
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1474-1 catdoc security update
Package : catdoc
Version : 1:0.94.3~git20160113.dbc9ec6+dfsg-1+deb9u2 (stretch), 1:0.95-4.1+deb11u1~deb10u1 (buster)
Related CVEs :
CVE-2024-48877
CVE-2024-52035
CVE-2024-54028
Multiple vulnerabilities have been fixed in catdoc, a text extractor for MS-Office files.
CVE-2024-48877
memory corruption
CVE-2024-52035
integer overflow
CVE-2024-54028
integer underflowELA-1474-1 catdoc security update
[SECURITY] [DSA 5954-1] sudo security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5954-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 30, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : sudo
CVE ID : CVE-2025-32462
Rich Mirch discovered that sudo, a program designed to provide limited
super user privileges to specific users, does not correctly handle the
host (-h or --host) option. Due to a bug the host option was not
restricted to listing privileges only and could be used when running a
command via sudo or editing a file with sudoedit. Depending on the rules
present in the sudoers file the flaw might allow a local privilege
escalation attack.
For the stable distribution (bookworm), this problem has been fixed in
version 1.9.13p3-1+deb12u2.
We recommend that you upgrade your sudo packages.
For the detailed security status of sudo please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/sudo
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DLA 4235-1] sudo security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4235-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
June 30, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : sudo
Version : 1.9.5p2-3+deb11u2
CVE ID : CVE-2025-32462
Rich Mirch discovered that sudo, a program designed to provide limited
super user privileges to specific users, does not correctly handle the
host (-h or --host) option. Due to a bug the host option was not
restricted to listing privileges only and could be used when running a
command via sudo or editing a file with sudoedit. Depending on the rules
present in the sudoers file the flaw might allow a local privilege
escalation attack.
For Debian 11 bullseye, this problem has been fixed in version
1.9.5p2-3+deb11u2.
We recommend that you upgrade your sudo packages.
For the detailed security status of sudo please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/sudo
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1476-1 sudo security update
Package : sudo
Version : 1.8.27-1+deb10u7 (jessie), 1.8.19p1-2.1+deb9u7 (stretch), 1.8.10p3-1+deb8u10 (buster)
Related CVEs :
CVE-2025-32462
Rich Mirch discovered that sudo, a program designed to provide limited
super user privileges to specific users, does not correctly handle the
host (-h or βhost) option. Due to a bug the host option was not
restricted to listing privileges only and could be used when running a
command via sudo or editing a file with sudoedit. Depending on the rules
present in the sudoers file the flaw might allow a local privilege
escalation attack.ELA-1476-1 sudo security update
ELA-1475-1 gst-plugins-good1.0 security update
Package : gst-plugins-good1.0
Version : 1.10.4-1+deb9u4 (stretch)
Related CVEs :
CVE-2024-47537
CVE-2024-47540
CVE-2024-47544
CVE-2024-47596
CVE-2024-47599
CVE-2024-47601
CVE-2024-47602
CVE-2024-47603
CVE-2024-47606
CVE-2024-47613
CVE-2024-47774
CVE-2024-47775
CVE-2024-47776
CVE-2024-47777
CVE-2024-47778
CVE-2024-47834
Multiple vulnerabilities were discovered in plugins for the GStreamer
media framework and its codecs and demuxers, which may result in denial
of service or potentially the execution of arbitrary code if a malformed
media file is opened.ELA-1475-1 gst-plugins-good1.0 security update
[SECURITY] [DLA 4236-1] mbedtls security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4236-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andrej Shadura
June 30, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : mbedtls
Version : 2.16.9-0.1+deb11u1
CVE ID : CVE-2021-24119 CVE-2021-36647 CVE-2021-43666 CVE-2021-44732
CVE-2022-46392
Multiple vulnerabilities have been fixed in mbedtls, a lightweight crypto and
SSL/TLS library.
CVE-2021-24119
A side-channel vulnerability in base64 PEM file decoding allows
system-level (administrator) attackers to obtain information about
secret RSA keys via a controlled-channel and side-channel attack on
software running in isolated environments that can be single stepped,
especially Intel SGX.
CVE-2021-36647
Function mbedtls_mpi_exp_mod() in lignum.c in Mbed TLS Mbed TLS all
versions before 3.0.0, 2.27.0 or 2.16.11 allowed attackers with access
to precise enough timing and memory access information (typically an
untrusted operating system attacking a secure enclave such as SGX or
the TrustZone secure world) to recover the private keys used in RSA.
CVE-2021-43666
In the mbedtls_pkcs12_derivation function an input password's length
is 0 caused a denial of service.
CVE-2021-44732
Function mbedtls_ssl_set_session() performed a double free in certain
out-of-memory conditions.
CVE-2022-46392
An adversary with access to precise enough information about memory
accesses (typically, an untrusted operating system attacking a
secure enclave) could recover an RSA private key after observing the
victim performing a single private-key operation, if the window size
(MBEDTLS_MPI_WINDOW_SIZE) used for the exponentiation is 3 or smaller.
For Debian 11 bullseye, these problems have been fixed in version
2.16.9-0.1+deb11u1.
We recommend that you upgrade your mbedtls packages.
For the detailed security status of mbedtls please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mbedtls
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1479-1 commons-vfs security update
Package : commons-vfs
Version : 2.1-2+deb10u1 (buster)
Related CVEs :
CVE-2025-27553
A vulnerability was discovered in Apache Commons VFS, a Java API for accessing
various filesystems.
CVE-2025-27553
A relative path traversal vulnerability was discovered in Apache Commons
VFS. The FileObject API in Commons VFS has a 'resolveFile' method that
takes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that
"an exception is thrown if the resolved file is not a descendent of the
base file". But when a path contains encoded ".." characters (for example,
"%2E%2E/bar.txt"), it might return file objects that are not a descendent
of the base file, without throwing an exception.ELA-1479-1 commons-vfs security update
ELA-1478-1 rar security update
Package : rar
Version : 2:7.01-1~deb9u1 (stretch)
Related CVEs :
CVE-2024-33899
ANSI escape injection has been fixed in the RAR archiver.ELA-1478-1 rar security update
