[DLA 4204-1] twitter-bootstrap3 security update
[DLA 4203-1] kitty security update
[DLA 4205-1] libreoffice security update
[DSA 5933-1] tcpdf security update
[SECURITY] [DLA 4204-1] twitter-bootstrap3 security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4204-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
June 01, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : twitter-bootstrap3
Version : 3.4.1+dfsg-2+deb11u2
CVE ID : CVE-2025-1647
Debian Bug : 1105899
twitter-bootstrap3 a popular front end framework was affected
by a vulnerability.
A cross-site scripting (XSS) vulnerability
has been identified within the Bootstrap 3 Popover component and
Bootstrap 3 Tooltip component, which allows unsanitized HTML to be used.
If you use bootstrap through a module bundler, you may need to rebuild your
application.
For Debian 11 bullseye, this problem has been fixed in version
3.4.1+dfsg-2+deb11u2.
We recommend that you upgrade your twitter-bootstrap3 packages.
For the detailed security status of twitter-bootstrap3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/twitter-bootstrap3
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4203-1] kitty security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4203-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
June 01, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : kitty
Version : 0.19.3-1+deb11u1
CVE ID : CVE-2022-41322
Debian Bug : 1020582
A vulnerability has been found in kitty, a fast, featureful, GPU based
terminal emulator, which possible allows arbitrary code execution.
CVE-2022-41322
In Kitty before 0.26.2, insufficient validation in the desktop
notification escape sequence can lead to arbitrary code execution. The
user must display attacker-controlled content in the terminal, then
click on a notification popup.
For Debian 11 bullseye, this problem has been fixed in version
0.19.3-1+deb11u1.
We recommend that you upgrade your kitty packages.
For the detailed security status of kitty please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/kitty
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4205-1] libreoffice security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4205-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
June 01, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : libreoffice
Version : 1:7.0.4-4+deb11u13
CVE ID : CVE-2025-1080 CVE-2025-2866
Multiple vulnerabilities were discovered in Libreoffice, an office
productivity software suite.
CVE-2025-1080
LibreOffice supports Office URI Schemes to enable browser
integration of LibreOffice with MS SharePoint server. An additional
scheme 'vnd.libreoffice.command' specific to LibreOffice was added.
In the affected versions of LibreOffice a link in a browser using
that scheme could be constructed with an embedded inner URL that
when passed to LibreOffice could call internal macros with arbitrary
arguments.
CVE-2025-2866
LibreOffice allows PDF Signature Spoofing by Improper Validation. In
the affected versions of LibreOffice a flaw in the verification code
for adbe.pkcs7.sha1 signatures could cause invalid signatures to be
accepted as valid
For Debian 11 bullseye, these problems have been fixed in version
1:7.0.4-4+deb11u13.
We recommend that you upgrade your libreoffice packages.
For the detailed security status of libreoffice please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libreoffice
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 5933-1] tcpdf security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5933-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 01, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : tcpdf
CVE ID : CVE-2024-22640 CVE-2024-22641 CVE-2024-32489
CVE-2024-51058 CVE-2024-56519 CVE-2024-56520
CVE-2024-56522 CVE-2024-56527
Multiple security issues were discovered in TCPDF, a PHP class for
generating PDF files on-the-fly, which may result in denial of service,
cross-site scripting or information disclosure.
For the stable distribution (bookworm), these problems have been fixed in
version 6.6.2+dfsg1-1+deb12u1.
We recommend that you upgrade your tcpdf packages.
For the detailed security status of tcpdf please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tcpdf
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
