Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1553-1 icedtea-web security update
Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1552-1 xrdp security update
ELA-1554-1 node-form-data security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4345-1] openjdk-17 security update
[DLA 4348-1] python-pip security update
[DLA 4347-1] intel-microcode security update
[DLA 4346-1] openjdk-11 security update
Debian GNU/Linux 12 (Bookworm):
[DSA 6038-1] openjdk-17 security update
ELA-1552-1 xrdp security update
Package : xrdp
Version : 0.9.9-1+deb10u4 (buster)
Related CVEs :
CVE-2024-39917
CVE-2023-42822
CVE-2023-40184
Three issues found in xrdp are addressed in this update.
xrdp is an open source remote desktop protocol (RDP) server.
xrdp had a vulnerability that allows attackers to make an infinite number of
login attempts. The number of max login attempts is supposed to be limited by a
configuration parameter MaxLoginRetry in /etc/xrdp/sesman.ini. However,
this mechanism was not effectively working. As a result, xrdp allows an
infinite number of login attempts.
Access to the font glyphs in xrdp_painter.c is not bounds-checked.
Since some of this data is controllable by the user, this can result in an
out-of-bounds read within the xrdp executable. The vulnerability allows an
out-of-bounds read within a potentially privileged process. On non-Debian
platforms, xrdp tends to run as root. Potentially an out-of-bounds write can
follow the out-of-bounds read. There is no denial-of-service impact, providing
xrdp is running in forking mode.
Improper handling of session establishment errors allows bypassing OS-level
session restrictions. The auth_start_session function can return non-zero (1)
value on, e.g., PAM error which may result in in session restrictions such as
max concurrent sessions per user by PAM (ex ./etc/security/limits.conf) to be
bypassed. Users (administrators) don’t use restrictions by PAM are not
affected.ELA-1552-1 xrdp security update
[SECURITY] [DLA 4345-1] openjdk-17 security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4345-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
October 25, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : openjdk-17
Version : 17.0.17+10-1~deb11u1
CVE ID : CVE-2025-53057 CVE-2025-53066
Two vulnerabilities have been discovered in the OpenJDK Java runtime,
which may result in XML external entity injection attacks or incorrect
certificate validation.
For Debian 11 bullseye, these problems have been fixed in version
17.0.17+10-1~deb11u1.
We recommend that you upgrade your openjdk-17 packages.
For the detailed security status of openjdk-17 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-17
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1553-1 icedtea-web security update
Package : icedtea-web
Version : 1.6.2-3.1+deb9u2 (stretch), 1.7.2-2+deb10u1 (buster)
Related CVEs :
CVE-2019-10181
CVE-2019-10182
CVE-2019-10185
Several security vulnerabilities were found in icedtea-web, an
implementation of the Java Network Launching Protocol (JNLP).
CVE-2019-10181
It was found that in icedtea-web executable code could be injected
in a JAR file without compromising the signature verification. An
attacker could use this flaw to inject code in a trusted JAR. The
code would be executed inside the sandbox.
CVE-2019-10182
It was found that icedtea-web did not properly sanitize paths from
elements in JNLP files. An attacker could trick a victim
into running a specially crafted application and use this flaw to
upload arbitrary files to arbitrary locations in the context of the
user.
CVE-2019-10185
It was found that icedtea-web was vulnerable to a zip-slip attack
during auto-extraction of a JAR file. An attacker could use this
flaw to write files to arbitrary locations. This could also be used
to replace the main running application and, possibly, break out of
the sandbox.ELA-1553-1 icedtea-web security update
[SECURITY] [DLA 4348-1] python-pip security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4348-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
October 26, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : python-pip
Version : 20.3.4-4+deb11u2
CVE ID : CVE-2023-5752 CVE-2025-8869
Debian Bug : 1116336
Multiple vulnerabilities have been found in python-pip, the Python
package installer.
CVE-2023-5752
When installing a package from a Mercurial VCS URL, arbitrary
configuration options could be injected to the "hg clone" call.
CVE-2025-8869
Pip's tar extraction doesn't check that symbolic links point to the
extraction directory.
For Debian 11 bullseye, these problems have been fixed in version
20.3.4-4+deb11u2.
We recommend that you upgrade your python-pip packages.
For the detailed security status of python-pip please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-pip
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4347-1] intel-microcode security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4347-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
October 25, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : intel-microcode
Version : 3.20250812.1~deb11u1
CVE ID : CVE-2025-20053 CVE-2025-20109 CVE-2025-21090 CVE-2025-22839
CVE-2025-22840 CVE-2025-22889 CVE-2025-24305 CVE-2025-26403
CVE-2025-32086
Debian Bug : 1110983 1112168
This update ships updated CPU microcode for some types of Intel CPUs and
provides mitigations for security vulnerabilities which could result in
privilege escalation or denial of service.
For Debian 11 bullseye, these problems have been fixed in version
3.20250812.1~deb11u1.
We recommend that you upgrade your intel-microcode packages.
For the detailed security status of intel-microcode please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/intel-microcode
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4346-1] openjdk-11 security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4346-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
October 25, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : openjdk-11
Version : 11.0.29+6-1~deb11u1
CVE ID : CVE-2025-53057 CVE-2025-53066
Two vulnerabilities have been discovered in the OpenJDK Java runtime,
which may result in XML external entity injection attacks or incorrect
certificate validation.
For Debian 11 bullseye, these problems have been fixed in version
11.0.29+6-1~deb11u1.
We recommend that you upgrade your openjdk-11 packages.
For the detailed security status of openjdk-11 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-11
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 6038-1] openjdk-17 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6038-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
October 25, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : openjdk-17
CVE ID : CVE-2025-53057 CVE-2025-53066
Several vulnerabilities have been discovered in the OpenJDK Java
runtime, which may result in XML XXE/XEE attacks or incorrect
certificate validation.
For the oldstable distribution (bookworm), these problems have been fixed
in version 17.0.17+10-1~deb12u1.
We recommend that you upgrade your openjdk-17 packages.
For the detailed security status of openjdk-17 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-17
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
ELA-1554-1 node-form-data security update
Package : node-form-data
Version : 2.3.2-2+deb10u1 (buster)
Related CVEs :
CVE-2025-7783
It was discovered that there was a potential HTTP Parameter Pollution
(HPP) issue in node-form-data, a tool to create multipart/form-data
streams module in Node.js applications.ELA-1554-1 node-form-data security update
