[DSA 6042-1] webkit2gtk security update
[DLA 4352-1] python-authlib security update
[DSA 6043-1] gimp security update
ELA-1557-1 python-pip security update
[SECURITY] [DSA 6042-1] webkit2gtk security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6042-1 security@debian.org
https://www.debian.org/security/ Alberto Garcia
October 28, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : webkit2gtk
CVE ID : CVE-2025-43272 CVE-2025-43342 CVE-2025-43343 CVE-2025-43356
CVE-2025-43368
The following vulnerabilities have been discovered in the WebKitGTK
web engine:
CVE-2025-43272
Big Bear discovered that processing maliciously crafted web
content may lead to an unexpected process crash.
CVE-2025-43342
An anonymous researcher discovered that processing maliciously
crafted web content may lead to an unexpected process crash.
CVE-2025-43343
An anonymous researcher discovered that processing maliciously
crafted web content may lead to an unexpected process crash.
CVE-2025-43356
Jaydev Ahire discovered that a website may be able to access
sensor information without user consent.
CVE-2025-43368
Pawel Wylecial discovered that processing maliciously crafted web
content may lead to an unexpected process crash.
This WebKitGTK update causes a compatibility problem with older
versions of Evolution when handling e-mail attachments. For this
reason, fixed versions of Evolution have also been released along with
this WebKitGTK update.
For the oldstable distribution (bookworm), these problems have been fixed
in version 2.50.1-1~deb12u1.
For the stable distribution (trixie), these problems have been fixed in
version 2.50.1-1~deb13u1.
We recommend that you upgrade your webkit2gtk packages.
For the detailed security status of webkit2gtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/webkit2gtk
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DLA 4352-1] python-authlib security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4352-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
October 29, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : python-authlib
Version : 0.15.4-1+deb11u1
CVE ID : CVE-2024-37568 CVE-2025-59420 CVE-2025-61920 CVE-2025-62706
Multiple vulnerabilities have been found in python-authlib, a Python
library for OAuth and OpenID Connect servers.
CVE-2024-37568
Unless an algorithm is specified in a jwt.decode call, HMAC verification
is allowed with any asymmetric public key.
CVE-2025-59420
Authlib’s JWS verification accepts tokens that declare unknown critical
header parameters (crit), violating RFC 7515 “must‑understand” semantics.
An attacker can craft a signed token with a critical header that strict
verifiers reject but Authlib accepts. In mixed‑language fleets, this
enables split‑brain verification and can lead to policy bypass, replay,
or privilege escalation.
CVE-2025-61920
Authlib’s JOSE implementation accepts unbounded JWS/JWT header and
signature segments which can lead to a DoS during verification.
CVE-2025-62706
Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression
which can lead to a DoS.
For Debian 11 bullseye, these problems have been fixed in version
0.15.4-1+deb11u1.
We recommend that you upgrade your python-authlib packages.
For the detailed security status of python-authlib please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-authlib
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 6043-1] gimp security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6043-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
October 28, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : gimp
CVE ID : CVE-2025-2760 CVE-2025-6035 CVE-2025-10922
Several vulnerabilities were discovered in GIMP, the GNU Image
Manipulation Program, which could result in denial of service or
potentially the execution of arbitrary code if malformed DICOM or DDS
images are opened.
For the oldstable distribution (bookworm), these problems have been fixed
in version 2.10.34-1+deb12u4.
We recommend that you upgrade your gimp packages.
For the detailed security status of gimp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gimp
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
ELA-1557-1 python-pip security update
Package : python-pip
Version : 9.0.1-2+deb9u3 (stretch), 18.1-5+deb10u1 (buster)
Related CVEs :
CVE-2019-20916
CVE-2021-3572
CVE-2023-5752
CVE-2025-8869
Multiple vulnerabilities have been discovered in python-pip, the Python package
installer.
CVE-2019-20916
Directory traversal is possible when a URL is given in an install command,
because a Content-Disposition header can have ../ in a filename.
This issue had been fixed in Stretch already via version 9.0.1-2+deb9u2 of
python-pip (DLA-2370-1).
CVE-2021-3572
A flaw exists in the way Unicode separators are handled in Git references.
CVE-2023-5752
When installing a package from a Mercurial VCS URL, arbitrary configuration
options could be injected to the "hg clone" call.
CVE-2025-8869
Pip's tar extraction doesn't check that symbolic links point to extraction
directory.ELA-1557-1 python-pip security update
