Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4182-1] syslog-ng security update
[DLA 4183-1] setuptools security update
[DLA 4188-1] python-tornado security update
[DLA 4185-1] yelp-xsl security update
[DLA 4184-1] yelp security update
Debian GNU/Linux 12 (Bookworm):
[DSA 5923-2] net-tools regression update
[DSA 5928-1] libvpx security update
[DSA 5927-1] yelp security update
[DSA 5926-1] firefox-esr security update
[SECURITY] [DLA 4182-1] syslog-ng security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4182-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Abhijith PA
May 28, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : syslog-ng
Version : 3.28.1-2+deb11u2
CVE ID : CVE-2024-47619
A security issue was found in syslog-ng, an enhanced log daemon. In
prior version, `tls_wildcard_match()` matches on certificates such as
`foo.*.bar` although that is not allowed. It is also possible to pass
partial wildcards such as `foo.a*c.bar` which glib matches but should
be avoided / invalidated. This issue could have an impact on TLS
connections, such as in man-in-the-middle situations.
For Debian 11 bullseye, this problem has been fixed in version
3.28.1-2+deb11u2.
We recommend that you upgrade your syslog-ng packages.
For the detailed security status of syslog-ng please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/syslog-ng
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4183-1] setuptools security update
From: Lee Garrett [debian@rocketjump.eu]
To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4183-1] setuptools security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4183-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Lee Garrett
May 28, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : setuptools
Version : 52.0.0-4+deb11u2
CVE ID : CVE-2025-47273
Debian Bug : 1105970
A path traversal vulnerability in `PackageIndex` was found in setuptools. An
attacker would be allowed to write files to arbitrary locations on the
filesystem with the permissions of the process running the Python code, which
could escalate to remote code execution depending on the context.
For Debian 11 bullseye, this problem has been fixed in version
52.0.0-4+deb11u2.
We recommend that you upgrade your setuptools packages.
For the detailed security status of setuptools please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/setuptools
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4188-1] python-tornado security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4188-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
May 29, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : python-tornado
Version : 6.1.0-1+deb11u2
CVE ID : CVE-2025-47287
Debian Bug : 1105886
Tornado is a scalable, non-blocking Python web framework and
asynchronous networking library.
CVE-2025-47287
When Tornado's 'multipart/form-data' parser encounters certain
errors, it logs a warning but continues trying to parse the
remainder of the data. This allows remote attackers to generate an
extremely high volume of logs, constituting a DoS attack. This DoS
is compounded by the fact that the logging subsystem is synchronous.
For Debian 11 bullseye, this problem has been fixed in version
6.1.0-1+deb11u2.
We recommend that you upgrade your python-tornado packages.
For the detailed security status of python-tornado please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-tornado
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 5923-2] net-tools regression update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5923-2 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 28, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : net-tools
Debian Bug : 1106147
The update for net-tools announced in DSA 5923-1 introduced a regression
for ifconfig always showing zero value packet counters. Updated packages
are now available to correct this issue. Two additional stack-based
buffer overflow flaws are addressed in this update.
For the stable distribution (bookworm), this problem has been fixed in
version 2.10-0.1+deb12u2.
We recommend that you upgrade your net-tools packages.
For the detailed security status of net-tools please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/net-tools
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 5928-1] libvpx security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5928-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 28, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : libvpx
CVE ID : CVE-2025-5283
Debian Bug : 1106689
It was discovered that a double-free in the encoder of libvpx, a
multimedia library for the VP8 and VP9 video codecs, may result in
denial of service and potentially the execution of arbitrary code.
For the stable distribution (bookworm), this problem has been fixed in
version 1.12.0-1+deb12u4.
We recommend that you upgrade your libvpx packages.
For the detailed security status of libvpx please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/libvpx
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DLA 4185-1] yelp-xsl security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4185-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Lucas Kanashiro
May 28, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : yelp-xsl
Version : 3.38.3-1+deb11u1
CVE ID : CVE-2025-3155
Debian Bug : #1102080
A flaw was found in Yelp. The Gnome user help application allows the help
document to execute arbitrary scripts. This vulnerability allows malicious
users to input help documents, which may exfiltrate user files to an external
environment.
For Debian 11 bullseye, this problem has been fixed in version
3.38.3-1+deb11u1.
We recommend that you upgrade your yelp-xsl packages.
For the detailed security status of yelp-xsl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/yelp-xsl
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4184-1] yelp security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4184-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Lucas Kanashiro
May 28, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : yelp
Version : 3.38.3-1+deb11u1
CVE ID : CVE-2025-3155
Debian Bug : #1102080
A flaw was found in Yelp. The Gnome user help application allows the help
document to execute arbitrary scripts. This vulnerability allows malicious
users to input help documents, which may exfiltrate user files to an external
environment.
For Debian 11 bullseye, this problem has been fixed in version
3.38.3-1+deb11u1.
We recommend that you upgrade your yelp packages.
For the detailed security status of yelp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/yelp
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 5927-1] yelp security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5927-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 28, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : yelp
CVE ID : CVE-2025-3155
It was discovered that Yelp, the help browser for the GNOME desktop,
allowed help files to execute arbitrary scripts. Opening a malformed
help file could have resulted in data exfiltration.
For the stable distribution (bookworm), this problem has been fixed in
version 42.2-1+deb12u1 of yelp and version 42.1-2+deb12u1 of yelp-xsl.
We recommend that you upgrade your yelp packages.
For the detailed security status of yelp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/yelp
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 5926-1] firefox-esr security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5926-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 28, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : firefox-esr
CVE ID : CVE-2025-5263 CVE-2025-5264 CVE-2025-5266 CVE-2025-5267
CVE-2025-5268 CVE-2025-5269
Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code or cross-origin leaks.
For the stable distribution (bookworm), these problems have been fixed in
version 128.11.0esr-1~deb12u1.
We recommend that you upgrade your firefox-esr packages.
For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
