Debian GNU/Linux 9 (Stretch) ELTS:
ELA-1568-2 unbound1.9 security update
Debian GNU/Linux 10 (Buster) ELTS:
ELA-1567-2 unbound security update
Debian GNU/Linux 9 (Stretch) and 10 (Buster) ELTS:
ELA-1586-1 cups-filters security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4392-1] mistral-dashboard security update
[DLA 4391-1] python-mistralclient security update
[DLA 4390-1] pagure security update
[DLA 4389-1] pytorch security update
[DLA 4365-2] unbound security update
Debian GNU/Linux 13 (Trixie):
[DSA 6066-1] gnome-shell-extension-gsconnect security update
[SECURITY] [DSA 6066-1] gnome-shell-extension-gsconnect security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6066-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 30, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : gnome-shell-extension-gsconnect
CVE ID : CVE-2025-66270
It was discovered that missing validation of the device ID during
handshakes in KDE Connect, a tool to integrate smart phones to a
desktop, could allow an attacker to impersonate another device.
The oldstable distribution (bookworm) is not affected.
For the stable distribution (trixie), this problem has been fixed in
version 62-1+deb13u1.
We recommend that you upgrade your gnome-shell-extension-gsconnect packages.
For the detailed security status of gnome-shell-extension-gsconnect please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gnome-shell-extension-gsconnect
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
ELA-1586-1 cups-filters security update
Package : cups-filters
Version : 1.11.6-3+deb9u4 (stretch), 1.21.6-5+deb10u3 (buster)
Related CVEs :
CVE-2025-57812
CVE-2025-64503
CVE-2025-64524
Several issues have been found in cups-filters, which provides additional CUPS filters.
CVE-2025-64503
out of bounds write vulnerability when processing crafted
PDF files containing a large ‘Mediabox’ value
CVE-2025-57812
out of bounds read/write vulnerability in the processing
of TIFF image files
CVE-2025-64524
infinite loop with crafted input raster file, that resuls
into a heap buffer overflow
ELA-1586-1 cups-filters security update
[SECURITY] [DLA 4392-1] mistral-dashboard security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4392-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
December 01, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : mistral-dashboard
Version : 11.0.0-2+deb11u1
CVE ID : CVE-2021-4472
A local file inclusion vulnerability has been discovered in mistral-
dashboard, the OpenStack Workflow as a Service dashboard plugin, that
may result in disclosure of arbitrary local files content through the
'Create Workbook' feature.
For Debian 11 bullseye, this problem has been fixed in version
11.0.0-2+deb11u1.
We recommend that you upgrade your mistral-dashboard packages.
For the detailed security status of mistral-dashboard please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mistral-dashboard
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4391-1] python-mistralclient security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4391-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
December 01, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : python-mistralclient
Version : 1:4.1.1-2+deb11u1
CVE ID : CVE-2021-4472
A local file inclusion vulnerability has been discovered in python-
mistralclient, the OpenStack Workflow as a Service client, that may
result in disclosure of arbitrary local files content through the
'Create Workbook' feature.
For Debian 11 bullseye, this problem has been fixed in version
1:4.1.1-2+deb11u1.
We recommend that you upgrade your python-mistralclient packages.
For the detailed security status of python-mistralclient please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-mistralclient
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4390-1] pagure security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4390-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
December 01, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : pagure
Version : 5.11.3+dfsg-1+deb11u1
CVE ID : CVE-2024-4981 CVE-2024-4982 CVE-2024-47515 CVE-2024-47516
Debian Bug : 1091383
Multiple vulnerabilities have been discovered in Pagure, a Git-centered
code hosting system (forge).
CVE-2024-4981
The function _update_file_in_git() follows symbolic links in
temporary clones. The fix is to bail out if a file path is outside
the temp repo or inside the '.git/' folder to avoid data leak and
unauthorized changes in files or git config.
CVE-2024-4982
Path traversal in view_issue_raw_file().
CVE-2024-47515
The generate_archive() function follows symbolic links in temporary
clones. The fix is to the add actual link rather than the target
content to the zip archive.
CVE-2024-47516
Fix an injection of additional options to the Git command-line
during retrieval of the repository history to prevent remote code
execution.
For Debian 11 bullseye, these problems have been fixed in version
5.11.3+dfsg-1+deb11u1.
We recommend that you upgrade your pagure packages.
For the detailed security status of pagure please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pagure
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4389-1] pytorch security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4389-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
December 01, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : pytorch
Version : 1.7.1-7+deb11u1
CVE ID : CVE-2025-32434
A possible remote code execution (RCE) vulnerability has been
discovered in pytorch, an open source machine learning framework.
CVE-2025-32434
Possible RCE when loading a model using torch.load with
weights_only=True.
For Debian 11 bullseye, this problem has been fixed in version
1.7.1-7+deb11u1.
We recommend that you upgrade your pytorch packages.
For the detailed security status of pytorch please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pytorch
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4365-2] unbound security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4365-2 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
November 30, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : unbound
Version : 1.13.1-1+deb11u7
CVE ID : CVE-2025-11411
Debian Bug : 1121446
Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan discovered that the
initial fix for CVE-2025-11411 as applied in DLA 4365-1 did not fully
fix the vulnerability. Updated packages correcting this issue are now
available.
Additionally, this update includes a fix for potential amplification
DDoS attacks due to improperly following cleared RD flags.
For Debian 11 bullseye, this problem has been fixed in version
1.13.1-1+deb11u7.
We recommend that you upgrade your unbound packages.
For the detailed security status of unbound please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/unbound
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1568-2 unbound1.9 security update
Package : unbound1.9
Version : 1.9.0-2+deb10u2~deb9u8 (stretch)
Related CVEs :
CVE-2025-11411
Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan discovered that the
initial fix for CVE-2025-11411 as applied in ELA 1568-1
did not fully fix the vulnerability. Updated packages correcting this
issue are now available.
Additionally, this update includes a fix for potential amplification
DDoS attacks due to improperly following cleared RD flags.ELA-1568-2 unbound1.9 security update
ELA-1567-2 unbound security update
Package : unbound
Version : 1.9.0-2+deb10u8 (buster)
Related CVEs :
CVE-2025-11411
Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan discovered that the
initial fix for CVE-2025-11411 as applied in ELA 1567-1
did not fully fix the vulnerability. Updated packages correcting this
issue are now available.
Additionally, this update includes a fix for potential amplification
DDoS attacks due to improperly following cleared RD flags.ELA-1567-2 unbound security update
