Multiple security advisories have been issued for Debian GNU/Linux 9 (Stretch) ELTS, 10 (Buster) ELTS, and 11 (Bullseye) LTS for various packages, including tiff, u-boot, libcommons-lang-java, and others. The advisories address vulnerabilities such as null pointer dereferences, integer buffer overflows, and uncontrolled recursion that could lead to denial-of-service or arbitrary code execution attacks. Affected versions of the packages have been fixed in new releases, and users are recommended to upgrade their packages to mitigate these security risks.

Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1510-2 libcommons-lang-java regression update
ELA-1530-1 libcommons-lang3-java security update
ELA-1528-1 wireless-regdb upstream version update

Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1529-1 modsecurity-apache security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4315-1] tiff security update
[DLA 4320-1] u-boot security update
[DLA 4262-2] libcommons-lang-java regression update
[DLA 4319-1] libxml2 security update
[DLA 4318-1] libcpanel-json-xs-perl security update
[DLA 4317-1] libjson-xs-perl security update
[DLA 4286-2] libcommons-lang3-java regression update

[SECURITY] [DLA 4315-1] tiff security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4315-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Jochen Sprickerhof
September 30, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : tiff
Version : 4.2.0-1+deb11u7
CVE ID : CVE-2024-13978 CVE-2025-9900
Debian Bug :

Multiple vulnerabilities were fixed in tiff, a library and tools
providing support for the Tag Image File Format (TIFF).

CVE-2024-13978

Affected by this vulnerability is the function t2p_read_tiff_init of
the file tools/tiff2pdf.c of the component fax2ps. The manipulation
leads to null pointer dereference. The attack needs to be approached
locally. The complexity of an attack is rather high. The exploitation
appears to be difficult.

CVE-2025-9900

This vulnerability is a "write-what-where" condition, triggered
when the library processes a specially crafted TIFF image file.
By providing an abnormally large image height value in the file's
metadata, an attacker can trick the library into writing
attacker-controlled color data to an arbitrary memory location.
This memory corruption can be exploited to cause a denial of
service (application crash) or to achieve arbitrary code execution
with the permissions of the user.

For Debian 11 bullseye, these problems have been fixed in version
4.2.0-1+deb11u7.

We recommend that you upgrade your tiff packages.

For the detailed security status of tiff please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tiff

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4320-1] u-boot security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4320-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
October 01, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : u-boot
Version : 2021.01+dfsg-5+deb11u2
CVE ID : CVE-2021-27097 CVE-2021-27138
Debian Bug : 983269 983270

Multiple vulnerabilties were discovered in u-boot, a boot loader for
embedded systems.

CVE-2021-27097

Strange modifications of the FIT can introduce security risks.

CVE-2021-27138

Using unit addresses in a FIT can pose security risks.

For Debian 11 bullseye, these problems have been fixed in version
2021.01+dfsg-5+deb11u2.

We recommend that you upgrade your u-boot packages.

For the detailed security status of u-boot please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/u-boot

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4262-2] libcommons-lang-java regression update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4262-2 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
September 30, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : libcommons-lang-java
Version : 2.6-9+deb11u2
CVE ID : CVE-2025-48924

A regression has been discovered in the latest release 2.6-9+deb11u1
of libcommons-lang-java. The patch to fix CVE-2025-48924 had not been
properly backported.

For Debian 11 bullseye, this problem has been fixed in version
2.6-9+deb11u2.

We recommend that you upgrade your libcommons-lang-java packages.

For the detailed security status of libcommons-lang-java please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libcommons-lang-java

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4319-1] libxml2 security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4319-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
September 30, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : libxml2
Version : 2.9.10+dfsg-6.7+deb11u9
CVE ID : CVE-2025-9714 CVE-2025-7425
Debian Bug : 1109122

Two security issues were found in libxml2, the GNOME XML library, which
could yield denial of service or heap corruption.

CVE-2025-9714

It was discovered that recursion evaluation in XPath evaluation is
uncontrolled and therefore allows a local attacker to cause a stack
overflow via crafted expressions.

CVE-2025-7425

Sergei Glazunov discovered a heap-use-after-free in xmlFreeID()
caused by `atype` corruption. While the vulnerability was reported
against libxslt, the XSLT 1.0 processing library, it is now
mitigated in this libxml2 version.

For Debian 11 bullseye, this problem has been fixed in version
2.9.10+dfsg-6.7+deb11u9.

We recommend that you upgrade your libxml2 packages.

For the detailed security status of libxml2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libxml2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4318-1] libcpanel-json-xs-perl security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4318-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Paride Legovini
September 30, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : libcpanel-json-xs-perl
Version : 4.25-1+deb11u1
CVE ID : CVE-2025-40929

A vulnerability has been fixed in libcpanel-json-xs-perl, a Perl module
for serialising to JSON.

CVE-2025-40929

Integer buffer overflow causing a segfault when parsing crafted JSON,
enabling denial-of-service attacks or other unspecified impact

For Debian 11 bullseye, this problem has been fixed in version
4.25-1+deb11u1.

We recommend that you upgrade your libcpanel-json-xs-perl packages.

For the detailed security status of libcpanel-json-xs-perl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libcpanel-json-xs-perl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4317-1] libjson-xs-perl security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4317-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Paride Legovini
September 30, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : libjson-xs-perl
Version : 4.030-1+deb11u1
CVE ID : CVE-2025-40928

A vulnerability has been fixed in libjson-xs-perl, a Perl module which
does C/XS-accelerated manipulation of JSON-formatted data.

CVE-2025-40928

Integer buffer overflow causing a segfault when parsing crafted JSON,
enabling denial-of-service attacks or other unspecified impact

For Debian 11 bullseye, this problem has been fixed in version
4.030-1+deb11u1.

We recommend that you upgrade your libjson-xs-perl packages.

For the detailed security status of libjson-xs-perl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libjson-xs-perl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4286-2] libcommons-lang3-java regression update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4286-2 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
September 30, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : libcommons-lang3-java
Version : 3.11-1+deb11u2
CVE ID : CVE-2025-48924

A regression has been discovered in the latest release 3.11-1+deb11u1
of libcommons-lang3-java. The patch to fix CVE-2025-48924 had not been
properly backported.

For Debian 11 bullseye, this problem has been fixed in version
3.11-1+deb11u2.

We recommend that you upgrade your libcommons-lang3-java packages.

For the detailed security status of libcommons-lang3-java please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libcommons-lang3-java

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

ELA-1510-2 libcommons-lang-java regression update

Package : libcommons-lang-java
Version : 2.6-6+deb9u2 (stretch), 2.6-8+deb10u2 (buster)

The patch to fix CVE-2025-48924 has not been backported correctly and can lead
to an unexpected ClassNotFoundException in ClassUtils.getClass(). Updated
packages are now available to correct this issue.

ELA-1510-2 libcommons-lang-java regression update

ELA-1530-1 libcommons-lang3-java security update

Package : libcommons-lang3-java
Version : 3.5-1+deb9u1 (stretch), 3.8-2+deb10u1 (buster)

Related CVEs :
CVE-2025-48924

A vulnerability was discovered in Apache Commons Lang utility classes, a Java
API for classes that are in java.lang’s hierarchy.

CVE-2025-48924
An uncontrolled recursion vulnerability was discovered in Apache Commons
Lang. The method ClassUtils.getClass() can throw a StackOverflowError
on very long inputs.

ELA-1530-1 libcommons-lang3-java security update

ELA-1529-1 modsecurity-apache security update

Package : modsecurity-apache
Version : 2.9.3-3+deb11u5~deb10u1 (buster)

Cross-site scripting due to insufficient return value handling has been
fixed in modsecurity-apache, a module for the Apache webserver to
tighten Web application security.

ELA-1529-1 modsecurity-apache security update

ELA-1528-1 wireless-regdb upstream version update

Package : wireless-regdb
Version : 2025.07.10-1~deb9u1 (stretch), 2025.07.10-1~deb10u1 (buster)

This update includes the changes in wireless-regdb 2025.07.10,
reflecting changes to radio regulations in several countries.

ELA-1528-1 wireless-regdb upstream version update