[DLA 4230-1] xorg-server security update
[DLA 4229-1] commons-beanutils security update
[DSA 5950-1] firefox-esr security update
[DSA 5949-1] libxml2 security update
[SECURITY] [DLA 4230-1] xorg-server security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4230-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
June 25, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : xorg-server
Version : 2:1.20.11-1+deb11u16
CVE ID : CVE-2025-49175 CVE-2025-49176 CVE-2025-49178 CVE-2025-49179
CVE-2025-49180
Nils Emmerich discovered several vulnerabilities in the Xorg X server,
which may result in privilege escalation if the X server is running
privileged.
For Debian 11 bullseye, these problems have been fixed in version
2:1.20.11-1+deb11u16.
We recommend that you upgrade your xorg-server packages.
For the detailed security status of xorg-server please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/xorg-server
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4229-1] commons-beanutils security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4229-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Abhijith PA
June 25, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : commons-beanutils
Version : 1.9.4-1+deb11u1
CVE ID : CVE-2025-48734
commons-beanutils, utility for manipulating Java beans have an
improper Access Control vulnerability. A special BeanIntrospector
class was added in version 1.9.2. This can be used to stop attackers
from using the declared class property of Java enum objects to get
access to the classloader. However this protection was not enabled by
default. PropertyUtilsBean (and consequently BeanUtilsBean) now
disallows declared class level property access by default.
For Debian 11 bullseye, this problem has been fixed in version
1.9.4-1+deb11u1.
We recommend that you upgrade your commons-beanutils packages.
For the detailed security status of commons-beanutils please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/commons-beanutils
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 5950-1] firefox-esr security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5950-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 25, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : firefox-esr
CVE ID : CVE-2025-6424 CVE-2025-6425 CVE-2025-6429 CVE-2025-6430
Multiple security issues have been found in the Mozilla Firefox
web browser, which could potentially result in the execution
of arbitrary code.
For the stable distribution (bookworm), these problems have been fixed in
version 128.12.0esr-1~deb12u1.
We recommend that you upgrade your firefox-esr packages.
For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 5949-1] libxml2 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5949-1 security@debian.org
https://www.debian.org/security/ Aron Xu
June 26, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : libxml2
CVE ID : CVE-2022-49043 CVE-2023-39615 CVE-2023-45322 CVE-2024-25062
CVE-2024-34459 CVE-2024-56171 CVE-2025-24928 CVE-2025-27113
CVE-2025-32414 CVE-2025-32415
Debian Bug : 1051230 1053629 1063234 1071162 1094238 1098320 1098321 1098322 1102521 1103511
Brief introduction
Multiple memory related vulnerabilities, inlcuding use-after-free,
out-of-bounds memory access and NULL pointer dereference, were discovered in
GNOME XML Parser and Toolkit Library and its Python bindings, which may cause
denial of service or other unintended behaviors.
For the stable distribution (bookworm), these problems have been fixed in
version 2.9.14+dfsg-1.3~deb12u2.
We recommend that you upgrade your libxml2 packages.
For the detailed security status of libxml2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libxml2
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
