Debian has released several security advisories to address vulnerabilities in various packages, including Thunderbird (DSA-6081-1), VLC media player (DSA-6082-1), ruby-sidekiq (DLA-4407-1), and ruby-git (DLA-4406-1). These updates fix multiple issues that could lead to arbitrary code execution or denial of service.

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4407-1] ruby-sidekiq security update
[DLA 4406-1] ruby-git security update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6081-1] thunderbird security update
[DSA 6082-1] vlc security update

[SECURITY] [DSA 6081-1] thunderbird security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6081-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
December 14, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : thunderbird
CVE ID : CVE-2025-14321 CVE-2025-14322 CVE-2025-14323 CVE-2025-14324
CVE-2025-14325 CVE-2025-14328 CVE-2025-14329 CVE-2025-14330
CVE-2025-14331 CVE-2025-14333

Multiple security issues were discovered in Thunderbird, which could
result in the execution of arbitrary code.

For the oldstable distribution (bookworm), these problems have been fixed
in version 1:140.6.0esr-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 1:140.6.0esr-1~deb13u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6082-1] vlc security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6082-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
December 14, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : vlc
CVE ID : not yet available
Debian Bug : 1013898 1021601

Multiple vulnerabilities were discovered in the VLC media player, which
could result in denial of service or potentially the execution of
arbitrary code if a malformed video file is opened.

For the oldstable distribution (bookworm), this problem has been fixed
in version 3.0.22-0+deb12u1.

For the stable distribution (trixie), this problem has been fixed in
version 3.0.22-0+deb13u1.

We recommend that you upgrade your vlc packages.

For the detailed security status of vlc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/vlc

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4407-1] ruby-sidekiq security update

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4407-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
December 15, 2025 https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package : ruby-sidekiq
Version : 6.0.4+dfsg-2+deb11u1
CVE ID : CVE-2021-30151 CVE-2022-23837
Debian Bug : z987354 1004193

ruby-sidekiq, a simple, efficient background processing for Ruby,
had a couple of vulnerabilities as follows:

CVE-2021-30151

Sidekiq allows XSS via the queue name of the live-poll feature
when Internet Explorer is used.

CVE-2022-23837

In api.rb in Sidekiq, there is no limit on the number of days
when requesting stats for the graph. This overloads the system,
affecting the Web UI, and makes it unavailable to users.

For Debian 11 bullseye, these problems have been fixed in version
6.0.4+dfsg-2+deb11u1.

We recommend that you upgrade your ruby-sidekiq packages.

For the detailed security status of ruby-sidekiq please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-sidekiq

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4406-1] ruby-git security update

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4406-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
December 15, 2025 https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package : ruby-git
Version : 1.7.0-1+deb11u1
CVE ID : CVE-2022-25648 CVE-2022-46648 CVE-2022-47318
Debian Bug : 1009926

A couple of vulnerabilities were reported against ruby-git, a Ruby
interface to the Git revision control system, that could lead to a
command injection and execution of an arbitrary ruby code by having
a user to load a repository containing a specially crafted filename
to the product.

For Debian 11 bullseye, these problems have been fixed in version
1.7.0-1+deb11u1.

We recommend that you upgrade your ruby-git packages.

For the detailed security status of ruby-git please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-git

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS