Debian has released security updates for Thunderbird and NNCP to fix multiple vulnerabilities. The Thunderbird update, version 1:140.3.0esr-1deb11u1 for Debian GNU/Linux 11 (Bullseye) LTS, fixes issues that could result in arbitrary code execution, while the NNCP update for both Debian GNU/Linux 12 (Bookworm) and 13 (Trixie) addresses a path traversal vulnerability with its freq and file commands.

[DLA 4311-1] thunderbird security update
[DSA 6012-1] nncp security update

[SECURITY] [DLA 4311-1] thunderbird security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4311-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
September 26, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : thunderbird
Version : 1:140.3.0esr-1~deb11u1
CVE ID : CVE-2025-10527 CVE-2025-10528 CVE-2025-10529 CVE-2025-10532
CVE-2025-10533 CVE-2025-10536 CVE-2025-10537

Multiple security issues were discovered in Thunderbird, which could
result in the execution of arbitrary code.

Debian follows the Thunderbird upstream releases. Support for the
128.x series has ended, so starting with this update we're now
following the 140.x series.

For Debian 11 bullseye, these problems have been fixed in version
1:140.3.0esr-1~deb11u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6012-1] nncp security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6012-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
September 26, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : nncp
CVE ID : CVE-2025-60020
Debian Bug : 1115848

Eugene Medvedev discovered that nncp, a package facilitating secure
store-and-forward file and mail exchange, was susceptible to path
traversal with the freq and file commands.

For the oldstable distribution (bookworm), this problem has been fixed
in version 8.8.2-3+deb12u1.

For the stable distribution (trixie), this problem has been fixed in
version 8.11.0-4+deb13u1.

We recommend that you upgrade your nncp packages.

For the detailed security status of nncp please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/nncp

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/