Debian has issued security updates for two packages, Thunderbird and strongSwan. For Debian 11 GNU/Linux (Bullseye) LTS, the Thunderbird update fixes multiple security issues that could result in arbitrary code execution and is available in version 1:140.4.0esr-1~deb11u1. Meanwhile, the strongSwan update for both Debian GNU/Linux 12 (Bookworm) and 13 (Trixie) fixes a buffer overflow bug in the eap-mschapv2 plugin discovered by Xu Biang, which can cause an integer underflow or heap-based buffer overflow potentially exploitable for remote code execution.

[DLA 4351-1] thunderbird security update
[DSA 6041-1] strongswan security update

[SECURITY] [DLA 4351-1] thunderbird security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4351-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
October 27, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : thunderbird
Version : 1:140.4.0esr-1~deb11u1
CVE ID : CVE-2025-11708 CVE-2025-11709 CVE-2025-11710 CVE-2025-11711
CVE-2025-11712 CVE-2025-11714 CVE-2025-11715

Multiple security issues were discovered in Thunderbird, which could
result in the execution of arbitrary code.

For Debian 11 bullseye, these problems have been fixed in version
1:140.4.0esr-1~deb11u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6041-1] strongswan security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6041-1 security@debian.org
https://www.debian.org/security/ Yves-Alexis Perez
October 27, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : strongswan
CVE ID : CVE-2025-62291

Xu Biang discovered a buffer overflow bug in the eap-mschapv2 plugin of
strongSwan, an IKE/IPsec suite.

The eap-mschapv2 plugin doesn't correctly check the length of an
EAP-MSCHAPv2 Failure Request packet on the client, which can cause an
integer underflow that leads to a crash, and a heap-based buffer
overflow that's potentially exploitable for remote code execution.

For the oldstable distribution (bookworm), this problem has been fixed
in version 5.9.8-5+deb12u2.

For the stable distribution (trixie), this problem has been fixed in
version 6.0.1-6+deb13u2.

We recommend that you upgrade your strongswan packages.

For the detailed security status of strongswan please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/strongswan

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/