Home on Freexian

Frequently Asked Questions about PHP LTS (by )

Fri, 30 Oct 2020 11:07:07 +0200

How can I access the package repositories?

The package repositories are private. Only customers of the service have access to them. See the documentation for details on how you can access them.

On how many servers can I use the package repositories?

This depends on the offer that you picked. Up to 30 for the “Basic” offer, up to 200 for the “Pro” offer and up to 1000 for the “Business” offer. Organizations with more than 1000 servers using PHP LTS have a custom price as part of the “Enterprise” offer.

If you are exceeding your limit, please reach out to us at sales@freexian.com so that we can adjust your contract.

Why do I get HTTP 403 errors when I run `apt update`?

The most likely reason is that you are trying to access an APT repository that you have not subscribed to. For instance, to access the bookworm repository, you need to have subscribed to at least one Debian 12 ‘bookworm’ based platform.

Why do I get HTTP 403 errors when I try to install a package?

The package repositories that you are using have all the available PHP versions, but we are restricting the set of packages that you have access to at the HTTP level. Any package containing phpX.Y in its name will only be accessible if you have included the corresponding platform as part of your subscription.

If you believe to have unwarranted HTTP 403 errors, then don’t hesitate to open a support ticket.

In that case, you should tell your customers to subscribe to the service by themselves. If you want to spare them this administrative work, you can take multiple “Basic” subscriptions in the name of your customers.

What is the difference between Freexian and Debian packages?

The main difference is the supported PHP versions. On Debian, there’s only a single supported PHP version, but on Freexian, multiple co-installable PHP versions are provided from the Freexian repository.

The other difference is in the way how the PECL extensions are packaged. There’s a single package for Debian and multiple versioned packages in the Freexian PHP repository.

What is the default PHP version on Freexian?

The default PHP version that gets installed when you type f.e. apt install php-fpm follows the latest upstream PHP version with some delay. The default PHP version is usually switched to the new stable PHP version after few months of grace period when all extensions are built, and people report success running the latest PHP version.

What is the difference between Freexian and DEB.SURY.ORG?

There are two differences. The main difference is that the Freexian PHP repositories are guaranteed and officially supported, and the DEB.SURY.ORG repositories are provided on a best effort basis.

Then the technical difference is in the Debian releases supported. The Freexian PHP repositories offer packages for all Debian releases, including those who are supported through LTS and Extended LTS, and for all Ubuntu LTS releases, including those who are in Extended Service Maintenance via Ubuntu Pro. With Freexian, you are getting a broader selection of supported Debian releases.

If you are already familiar with DEB.SURY.ORG packages, you should have no trouble using Freexian PHP packages.

What security support is provided?

Upstream security and stability fixes, as applied to PHP stable releases, are backported to the Freexian LTS supported PHP releases. This is essentially the same support that upstream PHP provides for their upstream-supported releases, but continued long after upstream PHP stops supporting them.

We review and triage security issues regularly, and apply patches according to impact and compatibility with the older PHP releases. Where an issue is not fixable, mitigations may be recommended.

Many security updates come with regression tests to ensure that they are fixed. These are usually backported with the patch, ensuring its correctness and avoiding future regression.

This is the same level of security support as is provided for PHP packages within regular Debian stable releases, by the same team.

We would like to thank Remi Collet for the php-src-security repository that is used as a base for providing the security support for end-of-life PHP versions in Debian and Ubuntu.

What are you doing to avoid regressions from security updates?

We run PHP’s full regression test suite before updating PHP in the repositories, to reduce the risk of regressions.

Where can I see a list of security issues?

Applied fixes are documented in the Debian changelog of the package. You can see it in e.g. /usr/share/doc/php-7.4/changelog.Debian.gz on a system where the package is installed.

The CVEs and their triaging decisions are not published in a structured form, at this time.

How long will you support PHP releases after their end-of-life?

See our End-of-Life page.

How long will your support Debian 9?

We will provide packages for Debian 9 for as long as Debian 9 is supported through Freexian’s Extended Long Term Support, so until June 2027.

How to switch from Debian PHP packages to Freexian PHP packages?

Using the Freexian PHP packages should be as simple as adding the private APT repository and running apt update. Then to install, for example, PHP 7.4, you would run apt install php7.4 or apt install phpX.Y-fpm. The only thing you must be aware of is the difference between the default versions. If you already have the php-fpm package installed, the apt dist-upgrade command will co-install the default PHP version and upgrade the currently installed version.

How to switch from DEB.SURY.ORG packages to Freexian PHP packages?

Switching the source of the PHP packages from DEB.SURY.ORG to Freexian is very simple. Just add the Freexian private repositories to the APT source lists and remove the DEB.SURY.ORG repository. The next apt update && apt upgrade will update the packages to the Freexian PHP packages.

What PECL extensions are provided?

Check out the list of supported extensions.

We generally don’t provide non-opensource PECL extensions.

As a customer, you have an option to request the addition of PECL extensions to the private repository.

How are the PECL extensions packaged?

For every PHP release (5.6, 7.x and 8.x), there’s a matching phpX.Y-<ext> package. In addition to that, for compatibility reasons, there’s a single php-<ext> package that depends on all individual PECL packages.

Which architectures are supported?

In general, we support amd64, armhf and arm64. But there are a few exceptions: Ubuntu 16.04 ‘xenial’ does not support armhf and arm64, Debian 9 ‘stretch’ does not support arm64.

Support for the i386 architecture is deprecated: packages are available for all Debian releases but not for Ubuntu 20.04 and newer releases, and it will likely be dropped for Debian releases in the near future too.

Please contact sales@freexian.com if you want to check whether a specific architecture is supported for the releases that are of interest to you, or if you need support for another architecture.

I have more questions. Where do I send them?

Please get in touch with us at sales@freexian.com. If you are already a customer, you should have received instructions to be able to send us support requests.

How to use Extended LTS (by )

Fri, 05 Dec 2025 07:41:12 +0100

After subscription to the Extended LTS (ELTS) service, Freexian hands over credentials — under the form of a username and a password — to the technical contact listed on the service order form. You will need those to access the APT repositories, they are referred to as ${username} and ${password} in the sample commands and configuration files below. Make sure you substitute them with their real value when you type the command or write the configuration files!

Adding Extended LTS repositories to APT

Installing the Freexian archive GPG key

The Extended LTS repositories are signed with the following GPG key:

sec   rsa4096 2018-05-28 [SC] [expires: 2027-12-05]
      AB597C4F6F3380BD4B2BEBC2A07310D369055D5A
uid           [ultimate] Extended LTS Repository <sysadmin@freexian.com>

To enable this key in your APT configuration, you have the following choices:

manually install the freexian-archive-keyring package with wget https://${username}:${password}@security.freexian.com/extended-lts/pool/main/f/freexian-archive-keyring/freexian-archive-keyring_2022.06.08_all.deb && sudo dpkg -i freexian-archive-keyring_2022.06.08_all.deb
manually fetch the key with sudo wget https://${username}:${password}@security.freexian.com/extended-lts/archive-key.gpg -O elts-archive-key.gpg && sudo mv elts-archive-key.gpg /etc/apt/trusted.gpg.d/freexian-archive-extended-lts.gpg

If you have certificate validation issues with the above commands, please retry the download step with wget --no-check-certificate ... and run the second command only after having ensured that the SHA256 checksum of the downloaded file matches the corresponding checksum listed below:

$ sha256sum freexian-archive-keyring_2022.06.08_all.deb
a8160d1aa1a40aa9988bf0b389b650550c7460ec3b4ec1d847778fe44b9c4dbc  freexian-archive-keyring_2022.06.08_all.deb

$ sha256sum elts-archive-key.gpg
a0b22152fdf1942f49cc1559ec4598bae8d8954da9ed38662d15b97a60909db8  elts-archive-key.gpg

Finally, you might want to double check that the archive key fingerprint displayed by apt-key finger matches the one shown above.

Configuring authentication for APT

Here’s what your /etc/apt/auth.conf file should contain:

machine security.freexian.com
login ${username}
password ${password}

This ensures that whenever APT tries to connect to a repository hosted on security.freexian.com, it will supply the corresponding authentication credentials.

Adding APT sources.list entries

Whenever you add the Freexian ELTS repository, you should at the same time disable the Debian repositories, because the Debian repositories are likely to break over the lifetime of Freexian’s ELTS service (either because the signing key expires, or because the repository is moved away for archival).

To leave /etc/apt/sources.list for local use, we recommend to configure the ELTS repositories in /etc/apt/sources.list.d/extended-lts.list. That file will typically look like this (where ${codename} has to be replaced with the codename of the Debian release that you use):

deb https://security.freexian.com/extended-lts ${codename} main contrib non-free

For Debian 9 stretch:

deb https://security.freexian.com/extended-lts stretch main contrib non-free

For Debian 10 buster:

deb https://security.freexian.com/extended-lts buster main contrib non-free

If you encounter sources.list entries with a codename like stretch-lts or buster-lts, note that those are partial repositories: they contain only the security updates provided by Freexian, and not all the original Debian packages. They can’t be used in a standalone way.

How to access the APT repositories (by )

Wed, 28 Oct 2020 12:46:57 +0200

The package repositories hosting the various PHP releases are private. That means that only customers of this service can get access to them.

This document explains the various options available and the required steps to configure those repositories.

Installing the freexian archive GPG key

All the package repositories are signed with the following GPG key:

sec   rsa4096 2020-08-14 [SCEA] [expires: 2027-12-06]
      135709AE1EB277A46E71572620DC56A105636A88
uid           [ultimate] PHP LTS <php-support@freexian.com>

To enable this key in your APT configuration, you have the following choices:

manually install the freexian-archive-keyring package with wget https://php.freexian.com/public/freexian-archive-keyring.deb && sudo dpkg -i freexian-archive-keyring.deb
manually fetch the key with sudo wget https://php.freexian.com/public/archive-key.gpg -O /etc/apt/trusted.gpg.d/freexian-archive-php.gpg
configure the repository in APT and install freexian-archive-keyring with apt install --allow-unauthenticated freexian-archive-keyring

You might want to double check that the key fingerprint outputted by apt-key finger matches the one shown above.

Configure APT’s sources.list

Use a customer specific URL

Once you have paid your subscription to the service, you will be granted a unique URL (that embeds a username and a private token) that you can use as an APT repository. The sources.list entry will look like this:

deb http://php.freexian.com/c/$USERNAME-$TOKEN $CODENAME main

Depending on your interest, $CODENAME can be either stretch, buster, bullseye, bookworm, trixie for Debian releases, or xenial, bionic, focal, jammy, noble for Ubuntu releases. $USERNAME and $TOKEN are given to you by Freexian.

A sample entry for Debian 10 buster could look like this:

deb http://php.freexian.com/c/john-y3aRBSgNyrWBkWRXyD7X7jYrP31MS2IZ buster main

That URL will be usable from any IP address but if we detect that the URL has leaked to third parties, we might disable the URL and require you to use a new one.

Host a private mirror of the package repository

Customers of the “enterprise” offers will be granted personal access credentials for the rsync service allowing them to host a mirror of the full package repository. See the documentation to learn how to setup such a mirror.

How to install Linux Kernel backports (by )

Tue, 10 Jul 2018 11:58:57 +0200

The kernel versions originally shipped with each Debian release are no longer maintained during the Extended LTS phase of each release’s lifecycle. Instead, we provide backports of Linux from more recent Debian releases. Currently, this means that for Debian 9 “stretch” and Debian 10 “buster” we provide packages of Linux 5.10 and Linux 6.1. They can be installed from the stretch-lts and buster-lts repositories, respectively.

Linux 5.10 will be supported until the end of August 2026. Linux 6.1 will be supported until the end of June 2027 for Debian 9, and until the end of June 2028 for Debian 10. We also plan to backport Linux 6.12, starting in August 2027. The following table summarizes the kernel maintenance lifetime of Extended LTS:

	Debian 9 “stretch”	Debian 10 “buster”	Debian 11 “bullseye” (planned)
Linux 5.10	Until August 31st 2026	Until August 31st 2026
Linux 6.1	Until June 30th 2027	Until June 30th 2028	Until June 30th 2028
Linux 6.12 (planned)		From August 2027 to June 30th 2029	From August 2027 to June 30th 2030

Support of i386 kernel packages

The Linux 5.10 and 6.1 ELTS packages provide support for 32-bit x86 (i386), and the i386 binary packages will be available until the end of their related backport maintenance lifetimes. The future Linux 6.12 backport won’t include any i386 binary packages.

Installing Linux Kernel backports

Linux binary packages are available according to the host’s architecture. They can be installed using the following commands:

Linux 6.1

For 64-bit x86 (amd64):

apt-get install linux-image-6.1-amd64

or for 32-bit x86 (i386):

apt-get install linux-image-6.1-686-pae

Linux 5.10

For 64-bit x86 (amd64):

apt-get install linux-image-5.10-amd64

or for 32bit x86 (i386):

apt-get install linux-image-5.10-686-pae

How to follow extended LTS updates (by )

Wed, 30 May 2018 12:46:57 +0200

Follow with an RSS feed

The Extended LTS Advisories (ELA) are published in the Updates section of this website. They can be monitored through this RSS feed.

Follow by email

If you want to be notified by email, you can subscribe to our dedicated mailing list. Click here, fill the fields, submit the form, confirm the captcha, and you are done.

How to build a package list (by )

Wed, 20 Apr 2022 12:46:57 +0200

One package list per Debian release

We need a list of packages to support for each Debian release that you are using. The best way to build this list is to gather the list of installed packages on all the Debian systems that you are running.

The dpkg-query command can be used for this:

$ dpkg-query -f'${db:Status-Status} ${source:Package},${Package},${Version}\n' -W | awk '! /^(not-installed|config-files)/ {print $2}'

You need to analyze separately your Debian systems based on the version of Debian that they are running.

Format of the package list

The package list must follow the same format as what’s produced by the above dpkg-query command.

The result is a file with one line per binary package and 3 comma-separated fields on each line:

the name of the source package
the name of the binary package
the version of the binary package

Combining lists from multiple systems

If you have Debian systems with different list of installed packages, you should run this command on each Debian system:

$ dpkg-query -f'${db:Status-Status} ${source:Package},${Package},${Version}\n' -W | awk '! /^(not-installed|config-files)/ {print $2}' >$(hostname).pkglist

This produces a hostname.pkglist file. Collect all those *.pkglist files in the same location and then merge them with this command:

$ sort -u *.pkglist >final.pkglist

This final.pkglist file is the file that you should submit to Freexian at sales@freexian.com. Feel free to drop packages from the generated list to only keep those that truly matter to you.

Note that you should provide us one package list for each Debian release that you need support for. So only combine lists from systems running the same Debian release.

The ELTS cost estimation model (by )

Wed, 20 Apr 2022 11:58:57 +0200

Explanations about the ELTS cost estimation

We have been doing security support of Debian packages since 2014 so we have a long history of data that lets us estimate the workload (and thus cost) required to keep each package secure.

We also have historical data of our customers so we know which packages are the most popular among our customers. We use this data to define the “per customer cost” of each package based on their expected popularity. At the same time, we also know that the number of ELTS customers is decreasing over time because some customers have finished migrating their servers or reached the end-of-life of their own product.

We have combined all those data to build a cost estimation model so that when a prospect submits us a package list to support, we can quickly provide a cost estimation for the whole support period that they need.

What is included in the cost estimation

The cost estimation combines two parts:

a fixed amount per semester that covers the cost of our infrastructure and of the maintenance of all the “base packages”.
a variable amount per semester that covers the cost of maintaining all the packages used by the customer

The part of the price that covers the maintenance of the packages will grow each semester. During the first 2.5 years, the price increase will be moderate (around 10% each time) but it will be more important in the last 2.5 years.

Examples of a cost estimation

The below examples have been made for Debian 10 Buster. The figures and package lists may vary for other Debian releases.

A small container with a web service

In this example, we ran debootstrap and then installed Apache 2, PostgreSQL and PHP. This resulted in this package list.

The associated cost estimation looks like this:

Your list of packages to support in Debian buster contains 150 packages.

Among those there are 0 packages that Freexian will not support (see the warnings.csv file for details). Among the 150 packages that we can support, there are 84 that have an history of security vulnerabilities.

The price for each semester consists of a fixed sum (covering the cost of the base system and infrastructure costs) and of a variable amount depending on the cost of your packages (you can have some details about the price of each package in the initial period in the packages-cost.csv file) and of the time elapsed.

The price increase tries to model the loss of customers over time, it’s a slow increase over the first half of the ELTS period and a steep increase afterwards because the bulk of the customers will have migrated to another Debian release at that time.

2024-H2: 3675 EUR

2025-H1: 4095 EUR

2025-H2: 4515 EUR

2026-H1: 4935 EUR

2026-H2: 5355 EUR

2027-H1: 6930 EUR

2027-H2: 8505 EUR

2028-H1: 9975 EUR

2028-H2: 11550 EUR

2029-H1: 13020 EUR

An embedded product

In this example, we used debian installer in a virtual machine: we installed the “standard” and “OpenSSH server” tasks, then manually installed curl, busybox, ntp and openjdk-11-jre. This resulted in this packagelist.

The associated cost estimation looks like this:

Your list of packages to support in Debian buster contains 302 packages.

Among those there are 1 packages that Freexian will not support (see the warnings.csv file for details). Among the 301 packages that we can support, there are 129 that have an history of security vulnerabilities.

[…]

2024-H2: 4830 EUR

2025-H1: 5355 EUR

2025-H2: 5880 EUR

2026-H1: 6405 EUR

2026-H2: 7035 EUR

2027-H1: 9555 EUR

2027-H2: 12180 EUR

2028-H1: 14700 EUR

2028-H2: 17220 EUR

2029-H1: 19740 EUR

The associated warnings.csv file only mentions that “linux” is not supported and that one should use our backport of a newer kernel.

About Debian 13 Trixie (by )

Thu, 06 Nov 2025 12:00:00 +0200

Extended LTS for Debian 13 Trixie

Support period

2025-08-09: Publication of Debian 13 Trixie
2028-08-10: Security support handed over to the Debian LTS team.
2030-06-30: End of support in Debian. Security support now handled by Freexian’s Extended LTS service.
2035-06-30: End of support.

Architectures supported

amd64

The set of architectures supported depend on the request of our customers. At this point, you can be sure that amd64 will be supported. But we can easily support armhf, arm64 and i386. If you need another architecture, please subscribe and let us know your requirements.

Limitations of support

Not all packages can be supported by our Extended LTS for Debian 13 service:

packages that have already been marked as unsupported (or with limited support) by the Debian security/LTS teams: see list in git repository
linux: to cover the whole ELTS lifetime, we are backporting newer kernels from newer Debian release. See our kernel backports instructions.

Note that when you request a quote, we send you back a list of packages that are not supported or that have limitations in their support so that you can take an informed decision.

List of base packages

The following packages are part of Debian’s 13 base system and will thus always be supported (as long as we have customers paying for Debian 13 support):

acl
adduser
apparmor
apt
attr
audit
base-files
base-passwd
bash
bzip2
ca-certificates
cdebconf
coreutils
cpio
cron
dash
db5.3
dbus
debconf
debian-archive-keyring
debianutils
dhcpcd
dh-runit
diffutils
dmidecode
dpkg
e2fsprogs
elfutils
expat
findutils
gcc-14
glibc
gmp
grep
gzip
hostname
ifupdown
init-system-helpers
iproute2
iptables
iputils
jansson
keyutils
kmod
krb5
less
libbpf
libbsd
libcap2
libcap-ng
libcbor
libedit
libfido2
libidn2
liblocale-gettext-perl
libmd
libmnl
libnftnl
libseccomp
libselinux
libsemanage
libsepol
libtext-charwidth-perl
libtext-iconv-perl
libtext-wrapi18n-perl
libtirpc
libunistring
libx11
libxau
libxcb
libxcrypt
libxdmcp
libxext
libxmu
libzstd
linux-base
logrotate
lz4
mawk
nano
ncurses
netbase
nettle
newt
nftables
openssh
openssl
pam
pcre2
perl
popt
procps
readline
rust-sequoia-sqv
sed
sensible-utils
shadow
slang2
sqlite3
sudo
systemd
sysvinit
tar
tcp-wrappers
tzdata
ucf
util-linux
vim
wtmpdb
xauth
xxhash
xz-utils
zlib

About Debian 12 Bookworm (by )

Mon, 27 Nov 2023 12:00:00 +0200

Extended LTS for Debian 12 Bookworm

Support period

2023-06-10: Publication of Debian 12 Bookworm
2026-06-11: Security support handed over to the Debian LTS team.
2028-06-30: End of support in Debian. Security support now handled by Freexian’s Extended LTS service.
2033-06-30: End of support.

Architectures supported

amd64

Limitations of support

Not all packages can be supported by our Extended LTS for Debian 12 service:

packages that have already been marked as unsupported by the Debian security/LTS teams are not supported: see list in git repository
some packages have limited support: see list in git repository
linux: to cover the whole ELTS lifetime, we are backporting newer kernels from newer Debian release. See our kernel backports instructions.

Note that when you request a quote, we send you back a list of packages that are not supported or that have limitations in their support so that you can take an informed decision.

List of base packages

The following packages are part of Debian’s 12 base system and will thus always be supported (as long as we have customers paying for Debian 12 support):

acl
adduser
apparmor
apt
argon2
attr
audit
base-files
base-passwd
bash
bzip2
ca-certificates
cdebconf
coreutils
cpio
cron
cryptsetup
dash
db5.3
dbus
debconf
debian-archive-keyring
debianutils
dh-runit
diffutils
dmidecode
dpkg
e2fsprogs
elfutils
expat
findutils
gcc-12
glibc
gmp
gnupg2
gnutls28
grep
gzip
hostname
ifupdown
init-system-helpers
iproute2
iptables
iputils
isc-dhcp
jansson
json-c
keyutils
kmod
krb5
less
libbpf
libbsd
libcap2
libcap-ng
libcbor
libedit
libffi
libfido2
libgcrypt20
libgpg-error
libidn2
liblocale-gettext-perl
libmd
libmnl
libnftnl
libnsl
libseccomp
libselinux
libsemanage
libsepol
libtasn1-6
libtext-charwidth-perl
libtext-iconv-perl
libtext-wrapi18n-perl
libtirpc
libunistring
libx11
libxau
libxcb
libxcrypt
libxdmcp
libxext
libxmu
libzstd
logrotate
lvm2
lz4
mawk
nano
ncurses
netbase
nettle
newt
nftables
openssh
openssl
p11-kit
pam
pcre2
perl
popt
procps
readline
sed
sensible-utils
shadow
slang2
sudo
systemd
sysvinit
tar
tasksel
tcp-wrappers
tzdata
ucf
usrmerge
util-linux
vim
xauth
xxhash
xz-utils
zlib

About Debian 11 Bullseye (by )

Mon, 27 Nov 2023 11:58:57 +0200

Extended LTS for Debian 11 Bullseye

Support period

2021-08-14: Publication of Debian 11 Bullseye
2024-08-15: Security support handed over to the Debian LTS team.
2026-08-31: End of support in Debian. Security support now handled by Freexian’s Extended LTS service.
2031-06-30: End of support.

Architectures supported

amd64

Limitations of support

Not all packages can be supported by our Extended LTS for Debian 11 service:

packages that have already been marked as unsupported by the Debian security/LTS teams are not supported: see list in git repository
some packages have limited support: see list in git repository
linux: to cover the whole ELTS lifetime, we are backporting newer kernels from newer Debian release. See our kernel backports instructions.

Note that when you request a quote, we send you back a list of packages that are not supported or that have limitations in their support so that you can take an informed decision.

List of base packages

The following packages are part of Debian’s 11 base system and will thus always be supported (as long as we have customers paying for Debian 11 support):

acl
adduser
apparmor
apt
argon2
attr
audit
base-files
base-passwd
bash
bind9-libs
bzip2
ca-certificates
cdebconf
coreutils
cpio
cron
cryptsetup
dash
db5.3
dbus
debconf
debian-archive-keyring
debianutils
dh-runit
diffutils
dmidecode
dpkg
e2fsprogs
elfutils
expat
findutils
gcc-10
gcc-9
glibc
gmp
gnupg2
gnutls28
grep
gzip
hostname
ifupdown
init-system-helpers
iproute2
iptables
iputils
isc-dhcp
jansson
json-c
keyutils
kmod
krb5
less
libbpf
libbsd
libcap2
libcap-ng
libcbor
libedit
libestr
libfastjson
libffi
libfido2
libgcrypt20
libgpg-error
libidn2
liblocale-gettext-perl
liblognorm
libmd
libmnl
libnftnl
libnsl
libseccomp
libselinux
libsemanage
libsepol
libtasn1-6
libtext-charwidth-perl
libtext-iconv-perl
libtext-wrapi18n-perl
libtirpc
libunistring
libx11
libxau
libxcb
libxcrypt
libxdmcp
libxext
libxmu
libzstd
logrotate
lsb
lvm2
lz4
mawk
nano
ncurses
netbase
nettle
newt
nftables
openssh
openssl
p11-kit
pam
pcre2
pcre3
perl
popt
procps
readline
rsyslog
sed
sensible-utils
shadow
slang2
sudo
systemd
sysvinit
tar
tasksel
tcp-wrappers
tzdata
ucf
util-linux
vim
xauth
xxhash
xz-utils
zlib

About Debian 10 Buster (by )

Tue, 12 Sep 2023 11:58:57 +0200

Extended LTS for Debian 10 Buster

Support period

2019-07-06: Publication of Debian 10 Buster
2022-06-30: Security support handed over to the Debian LTS team.
2024-06-30: End of support in Debian. Security support now handled by Freexian’s Extended LTS service.
2029-06-30: End of support.

Architectures supported

amd64
armhf
arm64
i386

If you need another architecture, please subscribe and let us know your requirements.

Limitations of support

Not all packages can be supported by our Extended LTS for Debian 10 service:

packages that have already been marked as unsupported by the Debian security/LTS teams are not supported: see list in git repository
some packages have limited support: see list in git repository
linux: we don’t provide security support for Linux 4.19 that was originally provided in Debian 10 Buster. Instead we maintain a backport.

Note that when you request a quote, we send you back a list of packages that are not supported or that have limitations in their support so that you can take an informed decision.

List of base packages

The following packages are part of Debian’s 10 base system and will thus always be supported (as long as we have customers paying for Debian 10 support):

acl
adduser
apparmor
apt
argon2
attr
audit
base-files
base-passwd
bash
bind9
bsdmainutils
bzip2
ca-certificates
cdebconf
coreutils
cpio
cron
cryptsetup
dash
db5.3
dbus
debconf
debian-archive-keyring
debianutils
diffutils
dmidecode
dpkg
e2fsprogs
elfutils
expat
findutils
gcc-8
gdbm
glibc
gmp
gnupg2
gnutls28
grep
gzip
hostname
ifupdown
init-system-helpers
iproute2
iptables
iputils
isc-dhcp
json-c
keyutils
kmod
krb5
less
libbsd
libcap2
libcap-ng
libedit
libestr
libfastjson
libffi
libgcrypt20
libgpg-error
libidn
libidn2
liblocale-gettext-perl
liblognorm
libmnl
libnetfilter-conntrack
libnfnetlink
libnftnl
libseccomp
libselinux
libsemanage
libsepol
libtasn1-6
libtext-charwidth-perl
libtext-iconv-perl
libtext-wrapi18n-perl
libunistring
libx11
libxau
libxcb
libxdmcp
libxext
libxmu
libzstd
logrotate
lsb
lvm2
lz4
mawk
nano
ncurses
netbase
nettle
newt
openssh
openssl
p11-kit
pam
pcre3
perl
popt
procps
readline
rsyslog
sed
sensible-utils
shadow
slang2
sudo
systemd
sysvinit
tar
tasksel
tcp-wrappers
tzdata
ucf
util-linux
vim
xauth
xz-utils
zlib

About Debian 9 Stretch (by )

Wed, 20 Apr 2022 11:58:57 +0200

Extended LTS for Debian 9 Stretch

Support period

2017-06-17: Publication of Debian 9 Stretch
2020-06-30: Security support handed over to the Debian LTS team.
2022-06-30: End of support in Debian. Security support now handled by Freexian’s Extended LTS service.
2027-06-30: End of support.

Architectures supported

amd64
i386
armhf

If you need another architecture, please subscribe and let us know your requirements.

Limitations of support

Not all packages can be supported by our Extended LTS for Debian 9 service:

packages that have already been marked as unsupported by the Debian security/LTS teams are not supported: see list in git repository
some packages have limited support: see list in git repository
linux: we don’t provide security support for Linux 4.9 that was originally provided in Debian 9 Stretch. Instead we maintain a backport.

Note that when you request a quote, we send you back a list of packages that are not supported or that have limitations in their support so that you can take an informed decision.

List of base packages

The following packages are part of Debian’s 9 base system and will thus always be supported (as long as we have customers paying for Debian 9 support):

acl
adduser
apparmor
apt
attr
audit
base-files
base-passwd
bash
bind9
bsdmainutils
bzip2
ca-certificates
cdebconf
coreutils
cpio
cron
cryptsetup
dash
db5.3
dbus
debconf
debian-archive-keyring
debianutils
diffutils
dmidecode
dpkg
e2fsprogs
elfutils
expat
findutils
gcc-6
gdbm
glibc
gmp
gnupg2
gnutls28
grep
gzip
hostname
ifupdown
init-system-helpers
iproute2
iptables
iputils
isc-dhcp
keyutils
kmod
krb5
libassuan
libbsd
libcap2
libcap-ng
libedit
libestr
libfastjson
libffi
libgcrypt20
libgpg-error
libidn
libidn2-0
libksba
liblocale-gettext-perl
liblogging
liblognorm
libmnl
libnetfilter-conntrack
libnfnetlink
libpipeline
libpsl
libseccomp
libselinux
libsemanage
libsepol
libtasn1-6
libtext-charwidth-perl
libtext-iconv-perl
libtext-wrapi18n-perl
libunistring
libx11
libxau
libxcb
libxdmcp
libxext
libxmu
logrotate
lsb
lvm2
lz4
mawk
nano
ncurses
netbase
nettle
newt
npth
openssh
openssl
openssl1.0
p11-kit
pam
pcre3
perl
pinentry
popt
procps
readline
rsyslog
sed
sensible-utils
shadow
slang2
sqlite3
sudo
systemd
sysvinit
tar
tasksel
tcp-wrappers
tzdata
ucf
ustr
util-linux
vim
wget
xapian-core
xauth
xz-utils
zlib

About Debian 8 Jessie (by )

Wed, 20 Apr 2022 11:58:57 +0200

Extended LTS for Debian 8 Jessie

Support period

2015-04-26: Publication of Debian 8 Jessie
2018-06-17: Security support handed over to the Debian LTS team.
2020-06-30: End of support in Debian. Security support now handled by Freexian’s Extended LTS service.
2025-06-30: End of support.

Architectures supported

amd64
i386
armel
armhf

Limitations of support

Not all packages can be supported by our Extended LTS for Debian 8 service:

packages that have already been marked as unsupported by the Debian security/LTS teams are not supported: see list in git repository
some packages have limited support: see list in git repository
linux: we don’t provide security support for Linux 3.16 that was originally provided in Debian 8 Jessie. Instead we maintain a backport.
libav will not be supported
mariadb-10.0: it’s EOL at the upstream level
tomcat7: has reached its end-of-life (EOL) on March 2021. We continue to support it on a best effort basis but recommend to use Tomcat 8 instead
openjdk-7 will be supported as long as it’s maintained upstream, and we will also maintain an openjdk-8 backport.

Note that when you request a quote, we send you back a list of packages that are not supported or that have limitations in their support so that you can take an informed decision.

List of base packages

The following packages are part of Debian’s 8 base system and will thus always be supported (as long as we have customers paying for Debian 8 support):

acl
adduser
apt
attr
audit
base-files
base-passwd
bash
bind9
boost1.55
bsdmainutils
bzip2
ca-certificates
cdebconf
coreutils
cpio
cron
cryptsetup
dash
db5.3
debconf
debian-archive-keyring
debianutils
diffutils
dmidecode
dpkg
e2fsprogs
findutils
gcc-4.8
gcc-4.9
gdbm
glibc
gmp
gnupg
gnutls28
grep
groff
gzip
hostname
icu
ifupdown
init-system-helpers
insserv
iproute2
iptables
iputils
isc-dhcp
json-c
keyutils
kmod
krb5
less
libbsd
libcap2
libedit
libestr
libffi
libgcrypt20
libgpg-error
libidn
liblocale-gettext-perl
liblogging
liblognorm
libmnl
libnetfilter-acct
libnfnetlink
libpipeline
libpsl
libselinux
libsemanage
libsepol
libsigc++-2.0
libtasn1-6
libtext-charwidth-perl
libtext-iconv-perl
libtext-wrapi18n-perl
libusb
libx11
libxau
libxcb
libxdmcp
libxext
libxmu
logrotate
lsb
lvm2
man-db
manpages
mawk
nano
ncurses
netbase
netcat
nettle
net-tools
newt
nfacct
openssh
openssl
p11-kit
pam
pcre3
perl
popt
procps
readline6
rsyslog
sed
sensible-utils
shadow
slang2
startpar
sudo
systemd
sysvinit
tar
tasksel
tcp-wrappers
traceroute
tzdata
ustr
util-linux
vim
wget
xauth
xz-utils
zlib

How to setup a private mirror (by )

Wed, 28 Oct 2020 12:13:12 +0200

Why setup a private mirror?

Only customers of the “enterprise” offer have the required access to setup a private mirror with rsync (which is what’s described on this page).

They typically have very large setup with several thousands of servers needing access to the PHP LTS repositories and it makes sense for them to have their own local copy of the repository, both to save bandwidth and to limit their dependency to external infrastructure that is not under their control.

Step by step explanation to setup a private mirror

The explanations are tailored for Debian systems (version 10 or newer). Adapt them accordingly if you use some other operating system. You must have the rsync username and password given to you by Freexian. The rsync access is provided only to customers with a Pro or Business subscription.

Create a dedicated user

We recommend that you run the mirror under a dedicated user. It makes it easier to setup SSH push mirroring later on and is part of good security practice to isolate external interactions as much as possible.

For the purpose of this explanation, we will call the dedicated user mirror.

Let’s create the user with adduser and fill in the various fields:

$ sudo adduser --disabled-password mirror
Adding user 'mirror' ...
[...]
Is the information correct? [Y/n]

Installing the mirroring tool

We use the ftpsync tool developed by Debian to mirror APT Debian repositories. You can install it with apt install ftpsync or install it manually from this archive by following the instructions in the provided README.

Configuring the mirroring tool

In the dedicated user’s home directory, you will create the ~/.config/ftpsync/ftpsync-php.freexian.com.conf configuration file as well as a log directory. We will configure the mirror so that it stores the files in /srv/mirrors/php.freexian.com.

Note: you must change the value assigned to RSYNC_USER and RSYNC_PASSWORD to match the credentials that you have been given by Freexian.

# sudo mkdir -p /srv/mirrors/php.freexian.com
$ sudo chown mirror:mirror /srv/mirrors/php.freexian.com
$ sudo su - mirror
mirror$ mkdir -p .config/ftpsync log
mirror$ export RSYNC_USER=megacorp
mirror$ export RSYNC_PASSWORD=sekret1
mirror$ cat >.config/ftpsync/ftpsync-php.freexian.com.conf <<END
TO="/srv/mirrors/php.freexian.com/"
BASEDIR="$HOME"
LOGDIR="$HOME/log"
RSYNC_HOST="php.freexian.com"
RSYNC_PATH="php"
RSYNC_USER="$RSYNC_USER"
RSYNC_PASSWORD="$RSYNC_PASSWORD"
END
mirror$

Running the mirror regularly

Running the mirror with cron

To keep your mirror up-to-date, you have to run ftpsync sync:archive:php.freexian.com while being the mirror user.

We recommend that you run it from cron four times a day with a cron entry like this one (assuming that the system time is in UTC):

mirror$ (crontab -l; echo "17 2-23/6 * * * ftpsync sync:archive:php.freexian.com") | crontab -

The freexian package repository is updated at 0h, 6h, 12h, 18h (all times in UTC) and you want to avoid updating your local mirror at those times. Thus the suggestion is to use 2h, 8h, 14h, 20h. You are also invited to tweak the precise minute (17 in the example above) to a random value between 0 and 59 to spread the load so that not all servers connect at the same time.

Backporting security patches from Debian Extended LTS to Raspberry PI OS packages (by )

Thu, 04 Jul 2024 11:10:57 -0300

This document provides a base to backport security patches provided by Freexian Debian ELTS into Raspberry PI OS packages. We describe a git-based workflow, particularly using git-buildpackage, focusing also on source debian packages in "3.0 (quilt)" format, so the (security) patches to be backported should be found in the debian/patches/ directory, and applied according to debian/patches/series.

Prerequisites

The final outcome of following the workflow described in this document are debian source packages. You should have a working setup to build the binary packages from these source packages in a clean environment, taking the source debian package as input. This means building the packages using sbuild (+schroots), pbuilder, cowbuilder or similar. You should also have the building system able to produce binary packages for the target architecture (such as armhf).

Also, this document assumes you know how to download source packages from the Raspberry PI OS and from Freexian Debian Extended LTS repositories. Either by using apt-get source, or using dget. The Freexian Debian Extended LTS source package repositories are the same as those documented in How to use Extended LTS).

If you are not familiar with git-buildpackage, quilt and their workflows, we invite you to read the documentation listed at the end of the document.

Workflow

Generally the Raspberry PI OS packages include modifications on top of a specific Debian package. Those changes should mainly be present in the debian sources (the debian/ directory). For example, in the debian/rules file, or modifying the patches found in debian/patches/. The Debian Extended LTS security updates would also add new patches to the debian/patches/ directory, so the final goal of this workflow is to “merge” both the Raspberry PI OS and the Freexian Debian Extended LTS changes together.

Prepare a git repository from the source packages

As mentioned above, this document describes a git-based workflow. We document creating a git repository from scratch, but you may adapt the workflow to existing git repositories. Please refer to the git-buildpackage documentation, mentioned in the References at the end of the document. To create the git repository from scratch, you need to download the source packages first. We take as an example the glibc package from Debian 10 “buster”, and the Raspberry PI OS adaptations.

As of July 2024, the latest glibc package released for Raspberry PI OS (legacy), based on buster, was glibc 2.28-10+rpt2+rpi1+deb10u2, as it is found at the Raspberry PI OS glibc archive. It was based on glibc 2.28-10+deb10u2, from Debian 10 LTS. This specific glibc release is no longer available in any Debian regular repository. For the sake of the exercise, you can download it from https://snapshot.debian.org:

workdir$ dget -d https://snapshot.debian.org/archive/debian-security/20221017T122748Z/pool/updates/main/g/glibc/glibc_2.28-10+deb10u2.dsc

However, in practice, all the Debian Extended LTS source packages that you need should be available in the Freexian repositories.

The following command creates a git repository inside the glibc directory:

workdir$ cd glibc
workdir/glibc$ gbp import-dsc --pristine-tar --debian-branch=debian/buster --upstream-branch=upstream/2.28.x glibc_2.28-10+deb10u2.dsc

With the above command we tell gbp import-dsc to use pristine-tar(1), to place the upstream code in the upstream/2.28.x branch, and the debian sources in the debian/buster branch. This follows the recommended layout for Git packaging repositories (DEP-14). You can run git branch to take a look at the resulting branches in the repository:

workdir/glibc$ git branch
* debian/buster
  pristine-tar
  upstream/2.28.x

gbp import-dsc also creates upstream and debian tags for that release.

Now, for the Raspberry PI OS source package. First we have to download it:

workdir$ dget -d https://archive.raspberrypi.org/debian/pool/main/g/glibc/glibc_2.28-10+rpt2+rpi1+deb10u2.dsc

Then import the Raspberry PI OS glibc source package, putting the debian sources in the rpbios/buster branch.

workdir/glibc$ gbp import-dsc --pristine-tar --debian-branch=rbpios/buster --upstream-branch=upstream/2.28.x --create-missing-branches ../glibc_2.28-10+rpt2+rpi1+deb10u2.dsc

You should have now these branches in the repository:

workdir/glibc$ git branch
* debian/buster
  pristine-tar
  rbpios/buster
  upstream/2.28.x

As well as the following tags:

workdir/glibc$ git tag
debian/2.28-10+deb10u2
debian/2.28-10+rpt2+rpi1+deb10u2
upstream/2.28

We can take a look at the differences between both packages with git diff. To limit the size of the document, we highlight here the differences in the patches applied and those in debian/rules:

workdir/glibc$ git diff debian/2.28-10+deb10u2 debian/2.28-10+rpt2+rpi1+deb10u2
[...]
diff --git a/debian/patches/series b/debian/patches/series
index 211d5981..7bb55643 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -28,12 +28,14 @@ alpha/submitted-fts64.diff
 alpha/submitted-makecontext.diff
 
 arm/local-sigaction.diff
-arm/unsubmitted-ldconfig-cache-abi.diff
-arm/unsubmitted-ldso-abi-check.diff
+#arm/unsubmitted-ldconfig-cache-abi.diff
+#arm/unsubmitted-ldso-abi-check.diff
 arm/local-soname-hack.diff
 arm/local-vfp-sysdeps.diff
 arm/unsubmitted-ldso-multilib.diff
 arm/local-arm-futex.diff
+arm/sht_relr_new.diff
+arm/glibc-tls-libwidevinecdm.so-since-4.10.2252.0-has-TLS-with.patch
 
 hppa/local-inlining.diff
 
[...]
diff --git a/debian/rules b/debian/rules
index de564b5f..cda61b8f 100755
--- a/debian/rules
+++ b/debian/rules
@@ -98,7 +98,7 @@ BASE_CXX = g++
 BASE_MIG = mig
 DEB_GCC_VERSION ?= -8
 
-RUN_TESTSUITE = yes
+RUN_TESTSUITE = no
 TIMEOUTFACTOR = 25
 
 # Set cross and native compiler names, including version.

Since the Raspberry PI OS glibc package is very close to the Debian package, we can create a fake merge commit for being able to “import” the changes from the next Debian release in a practical way:

workdir/glibc$ git checkout rbpios/buster
workdir/glibc$ git merge -s ours debian/buster

Importing changes from a new Debian Extended LTS release

Let’s consider now a new release of glibc was published, taking glibc_2.28-10+deb10u3 as example. It is from this version that you want to import the security fixes. Again we’ll use snapshot.debian.org as a source for our howto, but you’ll be getting your updates from the Freexian ELTS repo.

After downloading the new release, import the new source package with gbp import-dsc and merge it into the debian/buster branch:

workdir/glibc$ gbp import-dsc --pristine-tar --debian-branch=debian/buster --upstream-branch=upstream/2.28.x ../glibc_2.28-10+deb10u3.dsc

You can take a look at the differences between the two glibc Debian releases. These differences should be the patches that have been included in the last release, and that you want to apply to the Raspberry PI OS package. Again, to keep this document short, we show only part of the output:

workdir/glibc$ git diff debian/2.28-10+deb10u2 debian/2.28-10+deb10u3
[...]
diff --git a/debian/patches/series b/debian/patches/series
index 211d5981..023965ab 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -175,3 +175,6 @@ all/git-CVE-2021-33574-mq_notify-use-after-free.diff
 all/git-CVE-2021-35942-wordexp-handle-overflow-in-positional-parameter-numb.diff
 all/git-CVE-2022-23218-Buffer-overflow-in-sunrpc-svcunix_cre.diff
 all/git-CVE-2022-23219-Buffer-overflow-in-sunrpc-clnt_create.diff
+
+all/git-0001-iconv-ISO-2022-CN-EXT-fix-out-of-bound-writes-when-w.patch
+all/git-0002-misc-test-errno-linux-Handle-EINVAL-from-quotactl.patch

[...]

If you take a look at the debian/changelog from debian/2.28-10+deb10u3, you will find that these two patches listed above related to CVE-2024-2961. To import the last debian sources (including the patches) into the Raspberry PI OS buster branch, run git merge:

``console` workdir/glibc$ git checkout rbpios/buster workdir/glibc$ git merge debian/buster Auto-merging debian/changelog CONFLICT (content): Merge conflict in debian/changelog Auto-merging debian/patches/series Automatic merge failed; fix conflicts and then commit the result.


You should manually fix the conflicts in `debian/changelog`, resulting in
something like this:

glibc (2.28-10+deb10u3) buster-security; urgency=medium

Non-maintainer upload by the LTS Team.
CVE-2024-2961: Out-of-bounds write in iconv ISO-2022-CN-EXT module
Don’t ignore test failures during the build.

– Adrian Bunk bunk@debian.org Tue, 23 Apr 2024 19:23:00 +0300

glibc (2.28-10+rpt2+rpi1+deb10u2) buster; urgency=medium

arm/glibc-tls-libwidevinecdm.so-since-4.10.2252.0-has-TLS-with.patch
- https://lkml.org/lkml/2020/7/3/754
arm/sht_relr_new.diff
- https://github.com/xbmc/inputstream.adaptive/issues/678#issuecomment-839295299
Disable arm/unsubmitted-ldconfig-cache-abi.diff
Disable arm/unsubmitted-ldso-abi-check.diff

– Serge Schneider serge@raspberrypi.com Thu, 25 May 2023 16:59:39 +0100


You can check that the differences with the `debian/buster` branch are similar
to those before importing the new release:

```console
workdir/glibc$ git diff debian/buster HEAD
[...]
diff --git a/debian/patches/series b/debian/patches/series
index 023965ab..b4ba2d60 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -28,12 +28,14 @@ alpha/submitted-fts64.diff
 alpha/submitted-makecontext.diff
 
 arm/local-sigaction.diff
-arm/unsubmitted-ldconfig-cache-abi.diff
-arm/unsubmitted-ldso-abi-check.diff
+#arm/unsubmitted-ldconfig-cache-abi.diff
+#arm/unsubmitted-ldso-abi-check.diff
 arm/local-soname-hack.diff
 arm/local-vfp-sysdeps.diff
 arm/unsubmitted-ldso-multilib.diff
 arm/local-arm-futex.diff
+arm/sht_relr_new.diff
+arm/glibc-tls-libwidevinecdm.so-since-4.10.2252.0-has-TLS-with.patch
 
 hppa/local-inlining.diff
 
diff --git a/debian/rules b/debian/rules
index de564b5f..cda61b8f 100755
--- a/debian/rules
+++ b/debian/rules
@@ -98,7 +98,7 @@ BASE_CXX = g++
 BASE_MIG = mig
 DEB_GCC_VERSION ?= -8
 
-RUN_TESTSUITE = yes
+RUN_TESTSUITE = no
 TIMEOUTFACTOR = 25
 
 # Set cross and native compiler names, including version.

[...]

For creating a new release based on this merge, you need to add a new changelog entry. You can use gbp dch for that, but you need to adjust the version manually, to make sure the new version will be higher than the one currently available in Raspberry PI OS. In this case, the version should be 2.28-10+rpt2+rpi1+deb10u3, and the resulting debian/changelog:

glibc(2.28-10+rpt2+rpi1+deb10u3) buster; urgency=medium

  * Import changes from Debian changes 2.28-10+deb10u3

 -- Package Maintainer <maintainer@example.com>  Thu, 04 Jul 2024 15:10:25 -0300

You need to verify that the patches apply cleanly:

workdir/glibc$ export QUILT_PATCHES=debian/patches
workdir/glibc$ quilt push -a

If everything goes well, quilt should be able to apply the full list of patches without conflicts or fuzz:

[...]
Applying patch debian/patches/all/git-0002-misc-test-errno-linux-Handle-EINVAL-from-quotactl.patch
patching file sysdeps/unix/sysv/linux/test-errno-linux.c

Now at patch debian/patches/all/git-0002-misc-test-errno-linux-Handle-EINVAL-from-quotactl.patch

In case quilt cannot apply a patch or a patch applies with fuzz, you should manually fix the conflicts and refresh the patch with quilt refresh. Patches that apply with fuzz usually do not require editing and only need a quilt refresh. Repeat iteratively until all the patches apply cleanly.

Build the source package

Once you are finished updating the patches, you can create the source package with debuild or gbp buildpackage. For example:

workdir/glibc$ gbp buildpackage --git-builder=/usr/bin/debuild --git-debian-branch=rbpios/buster --git-no-create-orig -us -uc -S -nc

You should find the files that compose the debian source package (.dsc etc.) in the parent directory (workdir/ in this example), and you can use them to build the binary package from them.

For future releases, you should only need to repeat steps 2 and 3.

Making your packages available in a repository

Beyond integrating the security fixes and building the binary packages, you may be interested in making your packages available via a repository for apt. There are different tools that can be used for that purpose. Describing them in detail is beyond the scope of this document, but we list some of the here for convenience:

aptly: https://www.aptly.info/
mini-dinstall: https://wiki.debian.org/DebianRepository/SetupWithMinidinstall
reprepro: https://wiki.debian.org/DebianRepository/SetupWithReprepro

You can find more information about in the Debian Administrator’s Handbook.

References

The workflow described here relies on the git-buildpackage and quilt tools. You can find more information about them in:

the git-buildpackage manual: https://honk.sigxcpu.org/projects/git-buildpackage/manual-html/
the quilt(1) manual page

ELA-1762-1 openvpn security update (by )

Sat, 27 Jun 2026 16:36:31 +0200

Package : openvpn

Version : 2.4.0-6+deb9u6 (stretch), 2.4.7-1+deb10u3 (buster)

Related CVEs : CVE-2026-40215

A vulnerability has been discovered in OpenVPN, a virtual private network application.

CVE-2026-40215: A race condition allows remote attackers to potentially cause a server crash or leak heap memory via a use-after-free triggered during TLS session promotion.

ELA-1761-1 python-urllib3 security update (by )

Sat, 27 Jun 2026 05:16:03 +0200

Package : python-urllib3

Version : 1.19.1-1+deb9u5 (stretch), 1.24.1-1+deb10u6 (buster)

Related CVEs : CVE-2026-44431

It was discovered that python-urllib3, did not strip out sensitive headers (such as Authorization or Cookie) during cross-origin redirects followed from the low-level API. The issue may lead to information disclosure or authorization bypass.

The issue stems from an incomplete fix for CVE-2018-20060.

ELA-1760-1 yelp security update (by )

Sat, 27 Jun 2026 00:13:43 +0200

Package : yelp

Version : 3.22.0-1+deb9u2 (stretch), 3.31.90-1+deb10u2 (buster)

A vulnerability was discovered in yelp, the GNOME help browser, that allows a crafted help document to read files accessible to the user and exfiltrate them to a remote server through resources loaded by the embedded web view. When yelp is launched from a sandboxed application (for example via the Flatpak OpenURI portal), this also enables a sandbox escape.

The issue has not been assigned a CVE yet.

ELA-1759-1 ansible security update (by )

Fri, 26 Jun 2026 18:24:12 +0200

Package : ansible

Version : 2.7.7+dfsg-1+deb10u3 (buster)

Several flaws were found in ansible, a configuration management, deployment, and task execution system.

CVE-2019-14858: When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.
CVE-2019-14905: A vulnerability was found in Ansible Engine, where in Ansible’s nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.
CVE-2020-1737: A flaw was found in Ansible when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting an archive anywhere in the file system, using a path traversal.
CVE-2020-14330 (regression in previous fix): A regression was found that caused the obfuscation of sensitive data to also apply to dictionary keys. This could cause ansible playbook runs to break if a password happened to substring match any of the required dictionary keys that were returned by ansible tasks, e.g. “changed”. This is fixed with this release.
CVE-2023-4237: When creating a new keypair, the ec2_key module prints out the private key directly to the standard output. This flaw allows an attacker to fetch those keys from the log files, compromising the system’s confidentiality, integrity, and availability.
CVE-2023-5764: A template injection flaw was found in Ansible where a user’s controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce templating injection when supplying templating data.
CVE-2024-0690: An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.
CVE-2024-8775: A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.
CVE-2024-9902: The ansible-core user module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the user module against the unprivileged user’s home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner.
CVE-2024-11079: This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playbooks.

ELA-1758-1 libdbi-perl security update (by )

Fri, 26 Jun 2026 14:37:20 +0200

Package : libdbi-perl

Version : 1.636-1+deb9u3 (stretch), 1.642-1+deb10u3 (buster)

Related CVEs : CVE-2026-9698 CVE-2026-10879

CVE-2026-9698: Error messages that were returned when RaiseError, PrintError or HandleError were set were written to a 200-byte buffer without a length limit. Attackers that can influence the error text in an application could therefore trigger a buffer overflow.
CVE-2026-10879: The preparse() method expands SQL placeholder characters within prepared statements to numbered binders of the form :pN, but only allocated three characters per binder in the buffer, leading to an out-of-bounds write when the statement had 10 or more binders.

ELA-1757-1 giflib security update (by )

Fri, 26 Jun 2026 07:34:25 +0200

Package : giflib

Version : 5.1.4-0.4+deb9u2 (stretch), 5.1.4-3+deb10u2 (buster)

Related CVEs : CVE-2026-23868 CVE-2026-26740

Two vulnerabilties have been found in giflib, a package of portable tools and library routines for working with GIF images, potentially allowing Denial of Service.

CVE-2026-23868

Giflib contains a double-free vulnerability that is the result of a shallow copy in GifMakeSavedImage and incorrect error handling. The conditions needed to trigger this vulnerability are difficult but may be possible.

CVE-2026-26740

A Buffer Overflow vulnerability in giflib v.5.2.2 allows a remote attacker to cause a denial of service via the EGifGCBToExtension overwriting an existing Graphic Control Extension block without validating its allocated size.

ELA-1756-1 libtext-csv-xs-perl security update (by )

Thu, 25 Jun 2026 23:22:45 +0200

Package : libtext-csv-xs-perl

Version : 1.26-1+deb9u1 (stretch), 1.38-1+deb10u1 (buster)

Related CVEs : CVE-2026-7111

A use-after-free issue was found in libtext-csv-xs-perl (Text::CSV_XS module), which may yield type confusion or memory corruption when registered callbacks extend the Perl argument stack.

ELA-1755-1 libhttp-daemon-perl security update (by )

Tue, 23 Jun 2026 21:50:24 -0300

Package : libhttp-daemon-perl

Version : 6.01-1+deb9u2 (stretch), 6.01-3+deb10u2 (buster)

Related CVEs : CVE-2026-8450

A flaw was discovered in libhttp-daemon-perl, a simple http server class for Perl, which may result in the execution of arbitrary shell commands or file overwrite when processing specially crafted input.

Monthly report about Debian Long Term Support, May 2026 (by Santiago Ruano Rincón)

Santiago Ruano Rincón — Fri, 19 Jun 2026 00:00:00 +0000

The Debian LTS Team, funded by Freexian’s Debian LTS offering, is pleased to report its activities for May.

Activity summary

During the month of May, 21 contributors have been paid to work on Debian LTS (links to individual contributor reports are located below).

The team released 56 DLAs fixing 877 CVEs.

May was a much busier month than usual, especially due to the disclosed vulnerabilities on linux regarding Local Privilege Escalation (LPE), that included public proof-of-concept (PoC) exploits. These reports of course impacted Debian as a whole, and the situation warrants a special mention to the Kernel Team, especially Ben Hutching and Salvatore Bonaccorso, who faced the pace and released linux packages on a weekly basis. On the LTS side, the Front Desk team also triaged a significant flow of high severity CVEs.

It is also important to note that Debian 12 (“bookworm”) will be handed over to the LTS Team on June 11th. If you benefit from Debian, especially during the full 5-year lifecycle, please consider subscribing as a sponsor of Debian LTS: https://www.freexian.com/lts/debian/.

Moreover, Debian 11 (“bullseye”) will reach the end of the Debian LTS period on August 31st. After that, Freexian will continue the security support under the Extended LTS offer.

The team published several notable updates:

As mentioned above, several exploitable LPE vulnerabilities in linux were published during May. Ben released the following DLAs for the Debian LTS versions:
- DLA 4560-1 for linux (5.10)
- DLA 4561-1 for linux-6.1
- DLA 4572-1 for linux (5.10)
- DLA 4574-1 for linux-6.1
- DLA 4587-1 for linux (5.10)
- DLA 4588-1 for linux-6.1
- DLA 4606-1 for linux (5.10)
- DLA 4607-1 for linux-6.1
exim update (DLA-4580-1), prepared by Thorsten, to address a vulnerability that may result in remote code execution.
gnutls28 update (DLA-4595-1) by Guilhem Moulin, fixes several vulnerabilities that may result in execution of arbitrary code, information leak, authentication bypass, among other impacts.
krb5 updates released as DLA-4603-1, fixing two vulnerabilities that may yield to a denial of service. Updated prepared by Emmanuel Arias
lemonldap-ng (DLA-4602-1), released by Abhijith PA, fixing multiple vulnerabilities
Two imagemagick updates (DLA-4559-1 and DLA-4609-1), prepared by Bastien Roucariès, fixing several vulnerabilities
openjdk-11 and openjdk-17 updates (DLA-4566-1 and DLA-4565-1), both prepared by Emilio, to fix seven vulnerabilities.
php7.4 update (DLA-4586-1) to fix six vulnerabilities that could result in remote code execution, information disclosure or denial of service. Update prepared by Guilhem Moulin.
python3.9 update (DLA-4583-1), prepared by Arnaud Rebillout, addressing multiple vulnerabilities.

Contributions from outside the LTS Team:

We are greatly thankful for the contributions from people outside the LTS Team:

Colin Watson prepared an OpenSSH update, that was released by Santiago as DLA-4584-1.
Thomas Goirand handled a keystone update, whose advisory was done by Santiago and released as DLA-4611-1.
Christopher Obbard kindly prepared a sentry-python update, released as DLA-4612-1.
Christoph Goehre made two thunderbird updates (DLA-4562-1 and DLA-4582-1). As is customary, Emilio released the advisories.

The LTS Team has also contributed with updates to the latest Debian releases:

Andreas proposed a firewalld update for bookworm to fix a local issue that may result in bypass control rules.
Andreas proposed atril updates for trixie and bookworm.
Arnaud did a python3.11 upload for bookworm.
Arnaud proposed libarchive updates for trixie and bookworm.
Arnaud completed the systemd update for bookworm.
Bastien completed the uploads of gpsd for bookworm. He also did an upload of apache2 for bookworm.
Emmanuel uploaded updates of libexif for trixie and bookworm
Jochen Sprickerhof prepared pyjwt update for trixie and bookworm, released as DSA-6259-1.
Lukas Märdian prepared trixie and bookworm updates for nghttp2, released as DSA-6266-1.
Markus prepared updates of tomcat11 and tomcat10, released as DSA-6329-1 (for trixie) and DSA-6328-1 (for trixie and bookworm), respectively.
Continuing the work to replace the unmaintained p7zip fork with 7zip, Sylvain prepared trixie and bookworm updates of 7zip.
Thorsten completed the uploads of zvbi, taglib and libuev to bookworm and did an upload of libcoap3 for wtrixie.
Tobi prepared libpng1.6 updates for trixie and bookworm, released as DSA-6263-1.

Moreover, thanks to our partnership with Catalyst, it has been possible to extend the support for Samba 4.17, the version shipped with Debian 12. In May, several vulnerabilities were disclosed, and their patches were prepared by Catalyst. For Debian 12, the update was prepared by the Samba maintainer and released as DSA-6297-1.

Individual Debian LTS contributor reports

Thanks to our sponsors

Sponsors that joined recently are in bold.

Platinum sponsors:
- Toshiba Corporation (for 128 months)
- Civil Infrastructure Platform (CIP) (for 96 months)
- VyOS Inc (for 61 months)
Gold sponsors:
- F. Hoffmann-La Roche AG (for 139 months)
- CONET Deutschland GmbH (for 122 months)
- University of Oxford (for 78 months)
- EDF SA (for 50 months)
- Dataport AöR (for 25 months)
- CERN (for 23 months)
Silver sponsors:
- Domeneshop AS (for 143 months)
- Nantes Métropole (for 137 months)
- Akamai - Linode (for 133 months)
- Univention GmbH (for 129 months)
- Université Jean Monnet de St Etienne (for 129 months)
- Ribbon Communications, Inc. (for 123 months)
- Exonet B.V. (for 113 months)
- Leibniz Rechenzentrum (for 107 months)
- Ministère de l’Europe et des Affaires Étrangères (for 91 months)
- Dinahosting SL (for 78 months)
- Upsun Formerly Platform.sh (for 72 months)
- Moxa Inc. (for 66 months)
- sipgate GmbH (for 64 months)
- OVH US LLC (for 62 months)
- Tilburg University (for 62 months)
- GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 53 months)
- THINline s.r.o. (for 26 months)
- Copenhagen Airports A/S (for 20 months)
- Conseil Départemental de l’Isère (for 6 months)
Bronze sponsors:
- Seznam.cz, a.s. (for 144 months)
- Evolix (for 143 months)
- Linuxhotel GmbH (for 141 months)
- Intevation GmbH (for 140 months)
- Daevel SARL (for 139 months)
- Megaspace Internet Services GmbH (for 138 months)
- Greenbone AG (for 137 months)
- NUMLOG (for 137 months)
- WinGo AG (for 136 months)
- Entr’ouvert (for 128 months)
- Adfinis AG (for 125 months)
- Plat’Home (for 122 months)
- Laboratoire LEGI - UMR 5519 / CNRS (for 120 months)
- Tesorion (for 120 months)
- Bearstech (for 111 months)
- LiHAS (for 111 months)
- Catalyst IT Ltd (for 106 months)
- Demarcq SAS (for 100 months)
- Université Grenoble Alpes (for 86 months)
- TouchWeb SAS (for 78 months)
- SPiN AG (for 75 months)
- CoreFiling (for 71 months)
- Observatoire des Sciences de l’Univers de Grenoble (for 62 months)
- Tem Innovations GmbH (for 57 months)
- WordFinder.pro (for 57 months)
- CNRS DT INSU Résif (for 56 months)
- Soliton Systems K.K. (for 51 months)
- Alter Way (for 48 months)
- SOBIS Software GmbH (for 23 months)
- Tuxera Inc. (for 15 months)
- OPM-OP AS (for 6 months)

ELA-1738-2 linux-5.10 regression update (by )

Thu, 18 Jun 2026 11:34:12 -0300

Package : linux-5.10

Version : 5.10.257-1~deb10u2 (buster)

No-changes update to fix issues related to the repository metadata and relationship among the packages, due to infrastructure hiccups.

ELA-1739-2 linux-6.1 regression update (by )

Thu, 18 Jun 2026 11:34:12 -0300

Package : linux-6.1

Version : 6.1.174-1~deb10u2 (buster)

No-changes update to fix issues related to the repository metadata and relationship among the packages, due to infrastructure hiccups.

Debian Contributions: Go default compatibility, Trimming build-essential, Python upstream engagement and more! (by Anupa Ann Joseph)

Anupa Ann Joseph — Mon, 15 Jun 2026 00:00:00 +0000

Debian Contributions: 2026-05

Contributing to Debian is part of Freexian’s mission. This article covers the latest achievements of Freexian and their collaborators. All of this is made possible by organizations subscribing to our Long Term Support contracts and consulting services.

Go default compatibility, by Helmut Grohne

At the MiniDebConf Hamburg, Andrew Lee had prepared a talk on how Debian accidentally chooses Go compatibility. Helmut joined Tobias Quathammer and Andrew Lee in looking into the problem. Go has a compatibility system where modules declare a desired Go version to be compatible with. This influences various features such as whether RSA keys smaller than 1024 bits are accepted. Unfortunately, Debian’s way of building Go packages is unique in setting GO111MODULE=off, which practically implies a very old compatibility version that enables a number of insecure settings. Most Linux distributions use the default GO111MODULE=on and therefore consult a go.mod file that often declares a sensible version. While doing so is the way for Debian longer term, getting there involves major changes so we also sought a more short term workaround. We developed a patch to the Go compiler that would enable it to pick up a compatibility version from the environment. Tobias uploaded it to unstable. The next step is communicating the declared compatibility version from go.mod to the compiler via the new variable. Then, rebuilding the archive resolves the immediate symptoms. This does not save us from having to perform the larger transition to GO111MODULE=on, but this shortcut can be backported to trixie.

Trimming build-essential, by Helmut Grohne

One of the harder problems of the architecture cross bootstrap is correctly expressing the Build-Depends of glib during the toolchain bootstrap. It implicitly depends on build-essential, which happens to depend on libc6-dev. This poses a cycle. It applies even for cross building, because it is interpreted for the host architecture and that there is no way of satisfying this dependency during the toolchain bootstrap.

Given discussions at MiniDebConf Hamburg with Jochen Sprickerhof and others, a seemingly stupid idea evolved: Let’s delete build-essential. What looks insane on the surface might deserve a second look. Given how we moved away from C, C++ and autotools, what is in build-essential no longer is required by much of the archive. With the rise of debputy, debian/rules no longer has to be a makefile. While the task would be huge, those packages relevant to architecture bootstrap could explicitly support building without the implied dependency making their dependencies explicit. In a number of cases, this amounts to issuing a dependency on g++-for-host. This dependency requires the use of architecture-prefixed tools. Therefore, Helmut wrote a debhelper change that makes it always pass build tools to various build systems. This also enables more packages to honour environment variables such as CC and CXX.

Python upstream engagement, by Stefano Rivera

Stefano attended PyCon US (at personal expense) to improve upstream relations and ensure Debian’s voice is heard where it needs to be. On Friday there was a packaging summit (notes) with good discussion on the future of the wheel format, and some discussion of the new abi3t shared library format for free-threaded python.

In preparation for the event, Stefano did a complete review of the current patch stack.

Stefano’s primary goal was to get some of Debian’s patches merged during the sprints, and results were mixed. Some trivial patches (e.g. GH-150098, made progress and merged, but the most consequential patch Debian is carrying is still blocked. Stefano will continue to try to drive progress on this.

Miscellaneous contributions

Carles worked on po-debconf-manager: Reviewed Catalan translations for 6 packages, submitted 10 packages to maintainers, and removed 3 packages from po-debconf-manager.
Carles worked on check-relations: Continued improving the backend, including importing source package build dependencies to better support analysis of Debian blends. Added support for ignoring packages using regular expressions and source package names in response to user feedback. Used the tool to report 5 new bugs and followed up on previously reported issues.
Helmut sent a cross build patch on behalf of a customer.
Helmut uploaded debvm and guess_concurrency both featuring improved reproducibility and documentation.
Helmut continued maintaining rebootstrap and made it correctly handle binNMUs of gcc-defaults. Additionally, he poked at existing gcc patches giving answers, rebasing or closing them.
Helmut supported the video team in Hamburg mixing audio.
Helmut continued to report undeclared file conflicts of various kinds and corresponded with maintainers about them.
Antonio attended a debate during the Brazil Internet Forum about the impacts of the child protection regulation (ECA Digital) on free software operating systems.
Antonio worked on Debian CI to improve the system transparency for users. This included listing any pending jobs explicitly in the job lists for each package/architecture/suite page, as well as adding a queue status page that users can check for an estimate of test latency.
Antonio worked on several Debian CI maintenance tasks, including but not limited to some monitoring improvements, replacing usage of fonts-font-awesome with fonts-fork-awesome, and adding the ability in debci to configure a global notice (which is being used in Debian CI to point to the system status pages).
Antonio started doing some tests related to the change of default Debian CI backend from lxc to incus-lxc. This helped identify an omission in the creation of incus-lxc images. It was missing dpkg-dev, which caused a few packages that assumed its presence to fail. In the end, the incus-lxc backend will be fixed to include dpkg-dev by default in the image, but that uncovered an undeclared dependency in gem2deb (Ruby packaging helper) and in ruby-byebug, both already fixed in unstable.
Stefano did some minimal work on debian-reimbursements to get it working with current versions of django-allauth.
May included the discovery of several high-severity Linux kernel root exploits. Stefano updated kernels and rebooted debian.social infrastructure several times.
Stefano supported the Hamburg miniDebConf’s wafer website during the event, and set up an instance for the 2027 edition too.
Stefano supported the bursary team issuing bursaries for DebConf 26.
Stefano uploaded routine updates of python-pip, pystemmer, snowball-data, snowball (making up a mini, uncoordinated snowball transition), python-authlib, python-discovery, python-installer, python-mitogen, python-pipx, python-cachecontrol, platformdirs, and python-virtualenv.
Stefano fixed a small number of bugs in dh-python, culminating in the 7.20260524 upload.
Thorsten finally managed to upload a new upstream version of hplip. He also uploaded a new upstream version of epson-inkjet-printer-escpr. Last but not least with the help of other contributors he could fix bugs in lprng.
Lucas and Santiago contributed significantly to the DebConf 26 Content team; helping to organize the team, review and rate talk proposals.
Lucas also supported a packaging sprint held in India by rebuilding and publishing the latest results of the Ruby 3.4 transition effort.
Santiago continued contributing to the efforts to organize DebConf 26, especially supporting the local team with different tasks.
In collaboration with Emmanuel Arias, Santiago is mentoring Aryan Karamtoth, a GSoC participant that is working to introduce linux live-patching support in Debian. The GSoC project started in May, with community bonding and coding. Santiago reviewed a merge request to prepare the clang-extract package for debian. clang-extract is one of the building blocks that will help to extract specific functions from large C code, so only relevant code can be patched, without recompiling the whole original basecode.
Anupa assisted Jean-Pierre Giraud with the point release announcements for Debian 13.5 and Debian 12.14.
Colin backported various security fixes from OpenSSH 10.3 to all supported releases (including LTS and ELTS).
Colin backported IP quality-of-service fixes to OpenSSH in trixie. The situation there had been unsatisfactory for some time, and upstream reworked their QoS support in OpenSSH 10.1 in a way that typically produces much better results.
Colin imported new upstream versions of 26 Python packages, and fixed around 25 RC bugs for the Python team.

ELA-1754-1 apache2 security update (by )

Sun, 14 Jun 2026 11:03:58 +0200

Package : apache2

Version : 2.4.59-1~deb10u9 (buster)

Multiple vulnerabilities have been discovered in the Apache HTTP server, which may result in remote code execution, privilege escalation, denial of service or information disclosure.

ELA-1753-1 libxml2 security update (by )

Tue, 09 Jun 2026 10:33:45 +0200

Package : libxml2

Version : 2.9.4+dfsg1-2.2+deb9u16 (stretch), 2.9.4+dfsg1-7+deb10u14 (buster)

Several security issues were found in libxml2, the GNOME XML library, which could lead to Denial of Service.

CVE-2025-8732: Catalog parsing functions were missing cycle detection. When a catalog file contains a CATALOG directive pointing to itself, xmlExpandCatalog() and xmlParseSGMLCatalog() recursively call each other without bounds until stack overflow.
CVE-2026-0989: The RelaxNG parser does not limit the recursion depth when resolving <include> directives, which may lead to stack overflow on malicious RelaxNG schema file.
CVE-2026-0990: Nick Wellnhofer discovered that xmlCatalogXMLResolveURI() will recurse infinitely if a catalog has a URI delegate referencing itself, eventually resulting in a call stack overflow.
CVE-2026-0992: Nick Wellnhofer discovered that processing a chain of XML catalogs linked with <nextCatalog> and having the <nextCatalog> element takes exponential time, leading to denial of service via resource exhaustion.
CVE-2026-1757: The command parsing logic of the xmllint(1) interactive shell was found to leak memory.

In addition, a few other security issues were found for which no CVE ID was assigned yet:

Memory leak of prefix in xmlTextWriterStartElementNS().
Potential use-after-free issue in xmlRelaxNGValidateValue().
Memory leak in xmlTextWriterStartAttributeNS().
Additional memory leaks on error paths in schematron.
Stack overflow from self-referencing SGML CATALOG entries.

ELA-1752-1 apache2 security update (by )

Sun, 07 Jun 2026 23:12:13 +0200

Package : apache2

Version : 2.4.25-3+deb9u24 (stretch), 2.4.59-1~deb10u8 (buster)

Related CVEs : CVE-2026-49975

It was discovered that incorrect cookie header accounting in the HTTP/2 implementation of the Apache HTTP server may result in denial of service (excessive resources consumption).

ELA-1751-1 dovecot security update (by )

Sat, 06 Jun 2026 13:12:00 +0200

Package : dovecot

Version : 1:2.3.4.1-5+deb10u9 (buster)

Multiple vulnerabilities were discovered in dovecot, a POP3/IMAP server, which could lead to Denial of Service, information leak, path traversal, authentication bypass or timing side channel attacks.

CVE-2025-59031: The decode2text.sh example script, which was installed into dovecot-core/examples, was found handle zip-style attachment in an unsafe manner. In particular, OOXML extraction may follow symlinks and read unintended files during indexing. The script is no longer installed.
CVE-2025-59032: It was found that the ManageSieve AUTHENTICATE command crashes the ManageSieve service when using literal as SASL initial response, leading to Denial of Service.
CVE-2026-0394: A pass traversal vulnerability was discovered in the passwd-file passdb/userdb when dovecot has been configured to use per-domain passwd files, allowing inadvertently reading /etc/passwd in some situations. If this file contains passwords, it can be used to authenticate wrongly, or if this is userdb, it can incorrectly make system users appear valid users.
CVE-2026-27856: Doveadm credentials were not checked using timing-safe checking functions. An attacker can exploit this issue to discover configured credentials, leading into full access to the affected component.
CVE-2026-27857: It was discovered that sending excessive parenthesis caused the imap-login process to use excessive memory, leading to Denial of Service.
CVE-2026-27858: It was discovered that the managesieve-login process could allocate large amount of memory during authentication via specifically crafted message, leading to Denial of Service.
CVE-2026-27859: It was discovered that excessive RFC 2231 MIME parameters in email would cause excessive CPU usage, which could lead to Denial of Service. Dovecot now limits the number of parameters to process.
CVE-2026-33603: An attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding and later eavesdrop communications between Dovecot and client as MITM proxy.
CVE-2026-40020: An attacker can use the IMAP SETACL command to inject the anyone permission to user’s dovecot-acl file even if imap_acl_allow_anyone=no, thereby allowing folders to be spammed to all users. (The impact was limited to being able to spam folders to other users. No unexpected access is gained.)

ELA-1750-1 gsasl security update (by )

Fri, 05 Jun 2026 15:58:30 +0200

Package : gsasl

Version : 1.8.0-8+deb9u2 (stretch), 1.8.0-8+deb10u2 (buster)

Related CVEs : CVE-2026-48829

It was discovered that missing input sanitising in the DIGEST-MD5 parser of the GNU SASL library could result in denial of service.

ELA-1749-1 exim4 security update (by )

Fri, 05 Jun 2026 09:12:38 +0200

Package : exim4

Version : 4.89-2+deb9u15 (stretch), 4.92-8+deb10u12 (buster)

Related CVEs : CVE-2026-48840

Warisjeet Singh discovered that Exim, a mail transport agent, does not properly handle PROXY frames whose declared payload length is too short for the claimed address family, which may result in information disclosure in configurations with SUPPORT_PROXY and ‘host_proxy’ set.

ELA-1748-1 gimp security update (by )

Thu, 04 Jun 2026 12:28:57 +0200

Package : gimp

Version : 2.8.18-1+deb9u10 (stretch)

Related CVEs : CVE-2026-4150 CVE-2026-4153

Several vulnerabilities were discovered in GIMP, the GNU Image Manipulation Program, which could result in denial of service or potentially the execution of arbitrary code if malformed PSP or PSD files are opened.

ELA-1747-1 gimp security update (by )

Thu, 04 Jun 2026 12:27:02 +0200

Package : gimp

Version : 2.10.8-2+deb10u9 (buster)

Related CVEs : CVE-2026-4150 CVE-2026-4152 CVE-2026-4153

ELA-1746-1 corosync security update (by )

Wed, 03 Jun 2026 17:30:27 -0300

Package : corosync

Version : 2.4.2-3+deb9u3 (stretch), 3.0.1-2+deb10u3 (buster)

Related CVEs : CVE-2026-35091 CVE-2026-35092

Two vulnerabilities have been found in corosync, a cluster engine daemon and utilities, that allow a remote, unauthenticated attacker to cause a denial of service.

CVE-2026-35091

A remote unauthenticated attacker can exploit a wrong return value
vulnerability in the Corosync membership commit token sanity check by
sending a specially crafted User Datagram Protocol (UDP) packet. This can
lead to an out-of-bounds read, causing a denial of service (DoS) and
potentially disclosing limited memory contents.

CVE-2026-35092

An integer overflow vulnerability in Corosync's join message sanity
validation allows a remote, unauthenticated attacker to send crafted User
Datagram Protocol (UDP) packets. This can cause the service to crash,
leading to a denial of service.

ELA-1745-1 imagemagick security update (by )

Mon, 01 Jun 2026 23:13:59 +0200

Package : imagemagick

Version : 8:6.9.7.4+dfsg-11+deb9u29 (stretch)

Multiple security vulnerabilities were discovered in imagemagick, a software suite used for editing and manipulating digital images, which could lead to denial of service, information disclosure or potentially arbitrary code execution if malformed images are processed.

ELA-1744-1 p7zip-rar security update (by )

Mon, 01 Jun 2026 16:06:11 +0200

Package : p7zip-rar

Version : 16.02+really25.00+ds-0+deb9u1 (stretch)

The ELA-1742-1 update for p7zip breaks compatibility with p7zip-rar. While p7zip-rar is currently not supported for stretch, we applied the same codebase upgrade so both packages work together again.

ELA-1743-1 p7zip-rar update (by )

Mon, 01 Jun 2026 16:06:07 +0200

Package : p7zip-rar

Version : 16.02+really25.00+ds-0+deb10u1 (buster)

Related CVEs : CVE-2025-53816

The ELA-1742-1 update for p7zip breaks compatibility with p7zip-rar. While p7zip-rar is currently not supported for stretch, we applied the same codebase upgrade so both packages work together again.

ELA-1742-1 p7zip security update (by )

Mon, 01 Jun 2026 16:05:59 +0200

Package : p7zip

Version : 16.02+really25.01+dfsg-0+deb9u1 (stretch), 16.02+really25.01+dfsg-0+deb10u1 (buster)

Multiple vulnerabilities were discovered in p7zip, a now unmaintained fork of 7-Zip, a file archiver handling multiple formats.

To address these security vulnerabilities, whose fixes are unfortunately not isolated, this update replaces p7zip with 7-Zip v25 (which now supports GNU/Linux natively), slightly modified to make it reasonably compatible with p7zip.

CVE-2022-47069

heap-buffer-overflow vulnerability via the function NArchive::NZip::CInArchive::FindCd
CVE-2023-31102

Ppmd7.c allows an integer underflow and invalid read operation via a crafted 7Z archive.
CVE-2023-40481

SquashFS File Parsing Out-Of-Bounds Write RCE
CVE-2023-52168

heap-based buffer overflow in NTFS handler
CVE-2023-52169

out-of-bounds read in NTFS handler
CVE-2024-11612

CopyCoder Infinite Loop Denial-of-Service
CVE-2025-11001

ZIP File Parsing Directory Traversal RCE
CVE-2025-11002

ZIP File Parsing Directory Traversal RCE
CVE-2025-53817

null pointer dereference in the Compound handler may lead to denial of service
CVE-2025-55188

does not always properly handle symbolic links

ELA-1741-1 imagemagick security update (by )

Mon, 01 Jun 2026 14:02:46 +0200

Package : imagemagick

Version : 8:6.9.10.23+dfsg-2.1+deb10u18 (buster)

ELA-1740-1 nginx security update (by )

Sat, 30 May 2026 15:01:08 -0300

Package : nginx

Version : 1.10.3-1+deb9u10 (stretch), 1.14.2-2+deb10u7 (buster)

Multiple vulnerabilities were discoverd in Nginx, a high-performance web and reverse proxy server, which could result in bypass of authorisation rules or rate limits, denial of service or memory disclosure.

CVE-2025-53859

NGINX Open Source has a vulnerability in the ngx_mail_smtp_module that
might allow an unauthenticated attacker to over-read NGINX SMTP
authentication process memory; as a result, the server side may leak
arbitrary bytes sent in a request to the authentication server. This issue
happens during the NGINX SMTP authentication process and requires the
attacker to make preparations against the target system to extract the
leaked data. The issue affects NGINX only if (1) it is built with the
ngx_mail_smtp_module, (2) the smtp_auth directive is configured with method
"none," and (3) the authentication server returns the "Auth-Wait" response
header.

CVE-2026-1642

A vulnerability exists in NGINX OSS when configured to proxy to upstream
Transport Layer Security (TLS) servers. An attacker with a
man-in-the-middle (MITM) position on the upstream server side—along with
conditions beyond the attacker's control—may be able to inject plain text
data into the response from an upstream proxied server.

CVE-2026-9256

NGINX Open Source has a vulnerability in the ngx_http_rewrite_module
module. This vulnerability exists when a rewrite directive uses a regex
pattern with distinct, overlapping Perl-Compatible Regular Expression
(PCRE) captures (for example, ^/((.*))$) and a replacement string that
references multiple such captures (for example, $1$2) in a redirect or
arguments context. An unauthenticated attacker along with conditions beyond
their control can exploit this vulnerability by sending crafted HTTP
requests. This may cause a heap buffer overflow in the NGINX worker process
leading to a restart. Additionally, attackers can execute code on systems
with Address Space Layout Randomization (ASLR) disabled or when the
attacker can bypass ASLR.

CVE-2026-27651

When the ngx_mail_auth_http_module module is enabled on NGINX Open Source,
undisclosed requests can cause worker processes to terminate. This issue
may occur when (1) CRAM-MD5 or APOP authentication is enabled, and (2) the
authentication server permits retry by returning the Auth-Wait response
header.

CVE-2026-27654

NGINX Open Source has a vulnerability in the ngx_http_dav_module module
that might allow an attacker to trigger a buffer overflow to the NGINX
worker process; this vulnerability may result in termination of the NGINX
worker process or modification of source or destination file names outside
the document root. This issue affects NGINX Open Source when the
configuration file uses DAV module MOVE or COPY methods, prefix location
(nonregular expression location configuration), and alias directives. The
integrity impact is constrained because the NGINX worker process user has
low privileges and does not have access to the entire system.

CVE-2026-27784

The 32-bit implementation of NGINX Open Source has a vulnerability in the
ngx_http_mp4_module module, which might allow an attacker to over-read or
over-write NGINX worker memory resulting in its termination, using a
specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source
if it is built with the ngx_http_mp4_module module and the mp4 directive is
used in the configuration file. Additionally, the attack is possible only
if an attacker can trigger the processing of a specially crafted MP4 file
with the ngx_http_mp4_module module.

CVE-2026-28753

NGINX Open Source has a vulnerability in the ngx_mail_smtp_module module
due to the improper handling of CRLF sequences in DNS responses. This
allows an attacker-controlled DNS server to inject arbitrary headers into
SMTP upstream requests, leading to potential request manipulation.

CVE-2026-32647

NGINX Open Source has a vulnerability in the ngx_http_mp4_module module,
which might allow an attacker to trigger a buffer over-read or over-write
to the NGINX worker memory resulting in its termination or possibly code
execution, using a specially crafted MP4 file. This issue affects NGINX
Open Source if it is built with the ngx_http_mp4_module module and the mp4
directive is used in the configuration file. Additionally, the attack is
possible only if an attacker can trigger the processing of a specially
crafted MP4 file with the ngx_http_mp4_module module.

CVE-2026-40701

NGINX Open Source has a vulnerability in the ngx_http_ssl_module module
when the ssl_verify_client directive is set to "on" or "optional," and the
ssl_ocsp directive is set to "on" or the leaf parameters are configured
with a resolver. With this configuration, an unauthenticated attacker can
send requests along with conditions beyond its control that may cause a
heap-use-after-free error in the NGINX worker process. This vulnerability
may result in limited modification of data or the NGINX worker process
restarting.

CVE-2026-42934

NGINX Open Source has a vulnerability in the ngx_http_charset_module
module. When charset, source_charset, and charset_map and proxy_pass with
disabled buffering ("off") directives are configured, unauthenticated
attackers can send requests that with conditions beyond the attackers'
control to cause a heap buffer over-read in the NGINX worker process,
leading to limited disclosure of memory or a restart.

CVE-2026-42945

NGINX Open Source has a vulnerability in the ngx_http_rewrite_module
module. This vulnerability exists when the rewrite directive is followed by
a rewrite, if, or set directive and an unnamed Perl-Compatible Regular
Expression (PCRE) capture (for example, $1, $2) with a replacement string
that includes a question mark (?). An unauthenticated attacker along with
conditions beyond its control can exploit this vulnerability by sending
crafted HTTP requests. This may cause a heap buffer overflow in the NGINX
worker process leading to a restart. Additionally, for systems with Address
Space Layout Randomization (ASLR) disabled, code execution is possible.

CVE-2026-42946

A vulnerability exists in the ngx_http_scgi_module and
ngx_http_uwsgi_module modules that may result in excessive memory
allocation or an over-read of data. When scgi_pass or uwsgi_pass is
configured, an unauthenticated attacker with man-in-the-middle (MITM)
ability to control responses from an upstream server may be able to read
the memory of the NGINX worker process or restart it.

ELA-1739-1 linux-6.1 security update (by )

Fri, 29 May 2026 21:09:13 -0300

Package : linux-6.1

Version : 6.1.174-1~deb9u1 (stretch), 6.1.174-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

ELA-1738-1 linux-5.10 security update (by )

Fri, 29 May 2026 21:07:54 -0300

Package : linux-5.10

Version : 5.10.257-1~deb9u1 (stretch), 5.10.257-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

This version additionally includes many more bug fixes from stable updates 5.10.252-5.10.257.

ELA-1737-1 libexif security update (by )

Fri, 29 May 2026 08:26:32 -0300

Package : libexif

Version : 0.6.21-2+deb9u6 (stretch), 0.6.21-5.1+deb10u6 (buster)

Three security vulnerabilities were discovered in libexif, a library to reads and writes EXIF metainformation from and to images files, that can causes crashes or information leaks.

CVE-2026-32775

If the exif_mnote_data_get_value function in MakerNotes gets passed
in a 0 size, the passed in-buffer would be overwritten due to an
integer underflow.

CVE-2026-40385

An unsigned 32bit integer overflow in Nikon MakerNote handling could
be used by local attackers to cause crashes or information leaks.

CVE-2026-40386

An integer underflow in size checking for Fuji and Olympus MakerNote
decoding could be used by attackers to crash or leak information out
of libexif-using programs.

ELA-1735-1 nghttp2 security update (by )

Thu, 28 May 2026 10:42:08 +0200

Package : nghttp2

Version : 1.18.1-1+deb9u5 (stretch), 1.36.0-2+deb10u4 (buster)

Related CVEs : CVE-2026-27135

It was discovered that nghttp2, an implementation of the HTTP/2 protocol, could be crashed via an assertion failure. A remote attacker could exploit this to cause a DoS attack by sending a malformed frame immediately after triggering the termination path.

ELA-1736-1 erlang security update (by )

Wed, 27 May 2026 20:28:28 -0300

Package : erlang

Version : 1:19.2.1+dfsg-2+really23.3.4.18-0+deb9u6 (stretch), 1:22.2.7+dfsg-1+deb10u5 (buster)

Multiple vulnerabilities were discoverd in Erlang, a concurrent, real-time, distributed functional language.

CVE-2026-21620

Insufficient path sanitizing in tftp_file module.

CVE-2026-23941

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
vulnerability in Erlang OTP (inets httpd module) allows HTTP Request
Smuggling.

CVE-2026-23942

Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal') vulnerability in Erlang OTP (ssh_sftpd module) allows Path
Traversal.

CVE-2026-23943

Improper Handling of Highly Compressed Data (Compression Bomb)
vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of
Service via Resource Depletion.

ELA-1734-1 nodejs security update (by )

Tue, 26 May 2026 22:10:01 +0200

Package : nodejs

Version : 10.24.0~dfsg-1~deb10u8 (buster)

Multiple vulnerabilities were discovered in Node.js, which could result in denial of service.

CVE-2025-59465

A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`.
Instead of safely closing the connection, the process crashes, enabling a remote denial of service.

CVE-2026-21637

A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server.

CVE-2026-21714

A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level)
that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame,
but the Http2Session object is never cleaned up.

ELA-1733-1 memcached security update (by )

Tue, 26 May 2026 11:55:08 -0700

Package : memcached

Version : 1.4.33-1+deb9u3 (stretch), 1.5.6-1.1+deb10u2 (buster)

Related CVEs : CVE-2026-47783 CVE-2026-47784

Two side-channel attacks were discovered in memcached, an in-memory key/value database store. This could have been used to reveal or extract information about authentication details.

ELA-1732-1 gnutls28 security update (by )

Sun, 24 May 2026 11:42:45 +0200

Package : gnutls28

Version : 3.5.8-5+deb9u11 (stretch), 3.6.7-4+deb10u16 (buster)

CVE-2026-3833

Oleh Konko and Joshua Rogers independently discovered that domain name comparison during name constraints processing was case-sensitive, thereby violating RFC 5280 §7.2. For excluded name constraints, this could lead to incorrectly accepting domain names that should’ve been rejected.

CVE-2026-5260

Joshua Rogers discovered that for a server using an RSA key backed by a PKCS#11 token, a client sending an extremely short premaster secret during an RSA key exchange could trigger a short heap overread.

This vulnerability does not after the GnuTLS version found in stretch (or any version prior to 3.6.5).

CVE-2026-33845

Joshua Rogers a remotely triggerable underflow in the DTLS reassembly code leading to a heap overrun.

CVE-2026-33846

Haruto Kimura, Oscar Reparaz and Zou Dikai independently discovered that GnuTLS failed to properly check that DTLS fragments claimed a consistent message_length value, and that a missing bound check on the array was missing, enabling an attacker to cause a heap overwrite.

CVE-2026-42009

Joshua Rogers discovered that the comparator function used for ordering DTLS packets by sequence numbers did not follow qsort comparator contracts in case of packets with duplicate sequence numbers, which could lead to undefined behaviour.

CVE-2026-42010

Joshua Rogers discovered that servers configured with RSA-PSK wrongfully matched usernames with NUL character in them to ones truncated to NUL character, which could lead to an authentication bypass.

CVE-2026-42011

Haruto Kimura discovered that permitted name constraints were wrongfully ignored when prior CAs only had excluded name constraints, resulting in a name constraint bypass.

CVE-2026-42012

Oleh Konko discovered that certificates containing URI or SRV Subject Alternative Names would fall back to checking DNS hostnames against Common Name, thereby violating RFC 6125 §6.3. This could allow potential misuse of such certificates beyond their original purpose.

Note: This is a breaking change for setups relying on non RFC6125-compliant behavior such as unconditional CN fallback or CN fallback with unsupported SAN type.

CVE-2026-42013

Haruto Kimura and Joshua Rogers independently discovered that validation of certificates with oversized Subject Alternative Names would fall back to checking DNS hostnames against Common Name.

CVE-2026-42014

Luigino Camastra and Joshua Rogers discovered that changing the Security Officer PIN with gnutls_pkcs11_token_set_pin() with oldpin == NULL for a token lacking a protected authentication path led to a use-after-free.

This vulnerability does not after the GnuTLS version found in stretch (or any version prior to 3.6.5).

This update also fixes additional security issues for which no CVE ID was assigned yet:

Joshua Rogers discovered that the OCSP signing EKU OID was compared without verifying its length, allowing a shorter OID that shares the same prefix to match.
Haruto Kimura discovered a possible invalid pointer dereference in the PKCS#11 trust removal error path.
Kamil Frankowicz discovered that gnutls_privkey_verify_params() overlooked the scenario of p and q not being co-prime. It now returns GNUTLS_E_PK_INVALID_PRIVKEY in this case.
Joshua Rogers discovered that if gnutls_x509_crt_list_import_pkcs11() failed partway through, then the trust list cleanup code would try to free already-deinitialized certificate entries, leading to a double-free.
Kamil Frankowicz and Joshua Rogers idependently discovered that insufficient bounds checking on the PEM header length could lead to short heap overreads on specially crafted inputs.

ELA-1731-1 evince security update (by )

Sat, 23 May 2026 08:24:34 +0200

Package : evince

Version : 3.22.1-3+deb9u4 (stretch), 3.30.2-3+deb10u2 (buster)

Related CVEs : CVE-2026-46529

It was discovered that evince, a simple multi-page document viewer, is prone to a command injection vulnerability if a specially crafted PDF file is opened.

ELA-1730-1 openjpeg2 security update (by )

Thu, 21 May 2026 15:01:42 +0200

Package : openjpeg2

Version : 2.1.2-1.1+deb9u9 (stretch)

Related CVEs : CVE-2025-50952 CVE-2026-6192

Multiple vulnerabilities have been fixed in the JPEG 2000 image library OpenJPEG.

CVE-2025-50952

Avoid potential undefined behaviour in opj_dwt_decode_tile()

CVE-2026-6192

A vulnerability was identified in uclouvain. This impacts the function
opj_pi_initialise_encode in the library src/lib/openjp2/pi.c. The manipulation
leads to integer overflow. The attack must be carried out locally.

ELA-1729-1 openjpeg2 security update (by )

Thu, 21 May 2026 15:00:18 +0200

Package : openjpeg2

Version : 2.3.0-2+deb10u5 (buster)

Related CVEs : CVE-2026-6192

A vulnerability was identified in uclouvain. This impacts the function opj_pi_initialise_encode in the library src/lib/openjp2/pi.c. The manipulation leads to integer overflow. The attack must be carried out locally.

ELA-1718-1 python-gevent security update (by )

Wed, 20 May 2026 17:59:06 -0300

Package : python-gevent

Version : 1.3.7-1+deb10u1 (buster)

Related CVEs : CVE-2023-41419

An issue in Gevent, a coroutine -based Python networking library, before version 23.9.0 allows a remote attacker to escalate privileges via a crafted script to the WSGIServer component.

ELA-1728-1 apache2 security update (by )

Wed, 20 May 2026 00:23:51 +0200

Package : apache2

Version : 2.4.25-3+deb9u23 (stretch)

Multiple vulnerabilities have been discovered in the Apache HTTP server, which may result in remote code execution, privilege escalation, denial of service or information disclosure.

ELA-1727-1 linux-6.1 security update (by )

Mon, 18 May 2026 00:31:32 +0200

Package : linux-6.1

Version : 6.1.172-1~deb9u1 (stretch), 6.1.172-1~deb10u1 (buster)

Related CVEs : CVE-2026-46333

A vulnerability has been discovered in the Linux kernel that may lead to information leaks or local privilege escalation.

ELA-1726-1 linux-5.10 security update (by )

Sun, 17 May 2026 16:34:25 +0200

Package : linux-5.10

Version : 5.10.251-5~deb9u1 (stretch), 5.10.251-5~deb10u1 (buster)

Related CVEs : CVE-2026-46333

A vulnerability has been discovered in the Linux kernel that may lead to information leaks or local privilege escalation.

ELA-1725-1 libpng1.6 security update (by )

Sun, 17 May 2026 14:36:31 +0200

Package : libpng1.6

Version : 1.6.36-6+deb10u4 (buster)

Related CVEs : CVE-2026-34757 CVE-2026-40930

Two security vulnerabilities has been discovered in libpng, a library implementing an interface for reading and writing PNG (Portable Network Graphics) files, which could leading to corrupted chunk data and potential heap information disclosure.

CVE-2026-34757

Passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dangles. The freed region may contain stale data (producing silently corrupted chunk metadata) or data from subsequent heap allocations (leaking unrelated heap contents into the chunk struct).

CVE-2026-40930

Three inter-frame chunk discard paths in the push-mode APNG parser clear the chunk-header flag without consuming the chunk body and CRC, allowing attacker-controlled bytes inside an ignored ancillary chunk to be reinterpreted as a fresh chunk header on the next call to png_process_data. The practical impact depends on the application's CRC error handling configuration and may be denial of service (image fails to load - this is the default configuration) or if an application explictly chooses relaxed CRC handling the rendered image contains attacker-chosen content. A crafted fake length that exceeds the carrier chunk body would cause cascading desynchronization beyond the carrier chunk boundary.
The attack requires a malicious PNG delivered over the network and opened by a push-mode application. Sequential-mode reading is not affected.

Additionally this update fixes an upstream regression for CVE-2026-33416, released with ELA-1674-1, where when a transform modifying the palette were the only transform, a stale palette data has been used.

ELA-1724-1 libpng1.6 security update (by )

Sun, 17 May 2026 14:36:15 +0200

Package : libpng1.6

Version : 1.6.28-1+deb9u5 (stretch)

Related CVEs : CVE-2026-34757

A security vulnerability has been discovered in libpng, a library implementing an interface for reading and writing PNG (Portable Network Graphics) files, which could leading to corrupted chunk data and potential heap information disclosure.

CVE-2026-34757

Passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dangles. The freed region may contain stale data (producing silently corrupted chunk metadata) or data from subsequent heap allocations (leaking unrelated heap contents into the chunk struct).

ELA-1723-1 php7.0 security update (by )

Sun, 17 May 2026 09:11:57 +0200

Package : php7.0

Version : 7.0.33-0+deb9u23 (stretch)

Multiple security issues were found in PHP, a widely-used open source general purpose scripting language, which could result in remote code execution, information disclosure, denial of service.

CVE-2026-6722: A use-after-free issue was discovered in the SOAP extension which may lead to remote code execution when an apache:Map node contains duplicate keys.
CVE-2026-6735: Conrad Draper discovered that the request URI within the PHP-FPM status page was improperly sanitized, thereby allowing cross-site scripting (XSS).
CVE-2026-7258: An out-of-bounds read issue was discovered in urldecode(), which may lead to denial of service on some platforms.
CVE-2026-7261: Ilia Alshanetsky discovered a use-after-free issue after header parsing failure when SoapServer is configured with SOAP_PERSISTENCE_SESSION, which may lead to denial of service.
CVE-2026-7262: Ilia Alshanetsky discovered a NULL pointer deference issue in SOAP apache:Map decoder with a missing <value> element, which may lead to denial of service.
CVE-2026-7568: Aleksey Solovev discovered a signed integer overflow in the metaphone() function from the PHP standard library.

ELA-1722-1 php7.3 security update (by )

Sun, 17 May 2026 09:11:56 +0200

Package : php7.3

Version : 7.3.31-1~deb10u13 (buster)

Multiple security issues were found in PHP, a widely-used open source general purpose scripting language, which could result in remote code execution, information disclosure, denial of service.

CVE-2026-6722: A use-after-free issue was discovered in the SOAP extension which may lead to remote code execution when an apache:Map node contains duplicate keys.
CVE-2026-6735: Conrad Draper discovered that the request URI within the PHP-FPM status page was improperly sanitized, thereby allowing cross-site scripting (XSS).
CVE-2026-7258: An out-of-bounds read issue was discovered in urldecode(), which may lead to denial of service on some platforms.
CVE-2026-7261: Ilia Alshanetsky discovered a use-after-free issue after header parsing failure when SoapServer is configured with SOAP_PERSISTENCE_SESSION, which may lead to denial of service.
CVE-2026-7262: Ilia Alshanetsky discovered a NULL pointer deference issue in SOAP apache:Map decoder with a missing <value> element, which may lead to denial of service.
CVE-2026-7568: Aleksey Solovev discovered a signed integer overflow in the metaphone() function from the PHP standard library.

ELA-1720-1 openssh security update (by )

Sat, 16 May 2026 11:45:42 -0300

Package : openssh

Version : 1:7.9p1-10+deb10u7 (buster)

Several vulnerabilities have been discovered in OpenSSH, an implementation of the SSH protocol suite.

CVE-2025-61984

ssh allows control characters in usernames that originate from certain
possibly untrusted sources, potentially leading to code execution when a
ProxyCommand is used.

CVE-2025-61985

ssh allows the '\0' character in an ssh:// URI, potentially leading to code
execution when a ProxyCommand is used.

CVE-2026-3497

Jeremy Brown discovered a flaw in the GSSAPI Key Exchange patch applied
in Debian to OpenSSH, an implementation of the SSH protocol suite,
affecting non-default configurations with the GSSAPIKeyExchange setting
enabled. A remote attacker can take advantage of this flaw to cause a
denial of service, or potentially the execution of arbitrary code.

This update properly initialize some GSS-API variables out of caution,
although most of this vulnerability does not apply to this version.

CVE-2026-35385

When downloading files as root in legacy (-O) mode and without the -p
(preserve modes) flag set, scp did not clear setuid/setgid bits from
downloaded files as one might typically expect.  This bug dates back to the
original Berkeley rcp program.  Reported by Christos Papakonstantinou of
Cantina and Spearbit.

CVE-2026-35386

Validation of shell metacharacters in user names supplied on the
command-line was performed too late to prevent some situations where they
could be expanded from %-tokens in ssh_config. For certain configurations,
such as those that use a "%u" token in a "Match exec" block, an attacker
who can control the user name passed to ssh(1) could potentially execute
arbitrary shell commands. Reported by Florian Kohnhäuser.

OpenSSH developers continue to recommend against directly exposing ssh(1)
and other tools' command-lines to untrusted input. Mitigations as the one
addressing this issue can not be absolute given the variety of shells and
user configurations in use.

CVE-2026-35387

ssh can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in
PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted
to mean all ECDSA algorithms. Reported by Christos Papakonstantinou of
Cantina and Spearbit.

CVE-2026-35388

Connection multiplexing confirmation (requested using "ControlMaster
ask/autoask") was not being tested for proxy mode multiplexing sessions (i.e.
"ssh -O proxy ..."). Reported by Michalis Vasileiadis.

CVE-2026-35414

When matching an authorized_keys principals="" option against a list of
principals in a certificate, an incorrect algorithm was used that could
allow inappropriate matching in cases where a principal name in the
certificate contains a comma character. Exploitation of the condition requires
an authorized_keys principals="" option that lists more than one principal
*and* a CA that will issue a certificate that encodes more than one of
these principal names separated by a comma (typical CAs strongly constrain
which principal names they will place in a certificate). This condition
only applies to user- trusted CA keys in authorized_keys, the main
certificate authentication path
(TrustedUserCAKeys/AuthorizedPrincipalsFile) is not affected. Reported by
Vladimir Tokarev.

ELA-1721-1 openssh security update (by )

Sat, 16 May 2026 11:45:06 -0300

Package : openssh

Version : 1:7.4p1-10+deb9u12 (stretch)

Several vulnerabilities have been discovered in OpenSSH, an implementation of the SSH protocol suite.

CVE-2025-61984

ssh allows control characters in usernames that originate from certain
possibly untrusted sources, potentially leading to code execution when a
ProxyCommand is used.

CVE-2026-3497

Jeremy Brown discovered a flaw in the GSSAPI Key Exchange patch applied
in Debian to OpenSSH, an implementation of the SSH protocol suite,
affecting non-default configurations with the GSSAPIKeyExchange setting
enabled. A remote attacker can take advantage of this flaw to cause a
denial of service, or potentially the execution of arbitrary code.

This update properly initialize some GSS-API variables out of caution,
although most of this vulnerability does not apply to this version.

CVE-2026-35385

When downloading files as root in legacy (-O) mode and without the -p
(preserve modes) flag set, scp did not clear setuid/setgid bits from
downloaded files as one might typically expect.  This bug dates back to the
original Berkeley rcp program.  Reported by Christos Papakonstantinou of
Cantina and Spearbit.

CVE-2026-35386

Validation of shell metacharacters in user names supplied on the
command-line was performed too late to prevent some situations where they
could be expanded from %-tokens in ssh_config. For certain configurations,
such as those that use a "%u" token in a "Match exec" block, an attacker
who can control the user name passed to ssh(1) could potentially execute
arbitrary shell commands. Reported by Florian Kohnhäuser.

OpenSSH developers continue to recommend against directly exposing ssh(1)
and other tools' command-lines to untrusted input. Mitigations as the one
addressing this issue can not be absolute given the variety of shells and
user configurations in use.

CVE-2026-35387

ssh can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in
PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted
to mean all ECDSA algorithms. Reported by Christos Papakonstantinou of
Cantina and Spearbit.

CVE-2026-35388

Connection multiplexing confirmation (requested using "ControlMaster
ask/autoask") was not being tested for proxy mode multiplexing sessions (i.e.
"ssh -O proxy ..."). Reported by Michalis Vasileiadis.

CVE-2026-35414

When matching an authorized_keys principals="" option against a list of
principals in a certificate, an incorrect algorithm was used that could
allow inappropriate matching in cases where a principal name in the
certificate contains a comma character. Exploitation of the condition requires
an authorized_keys principals="" option that lists more than one principal
*and* a CA that will issue a certificate that encodes more than one of
these principal names separated by a comma (typical CAs strongly constrain
which principal names they will place in a certificate). This condition
only applies to user- trusted CA keys in authorized_keys, the main
certificate authentication path
(TrustedUserCAKeys/AuthorizedPrincipalsFile) is not affected. Reported by
Vladimir Tokarev.

ELA-1719-1 apache2 security update (by )

Sat, 16 May 2026 14:14:31 +0200

Package : apache2

Version : 2.4.59-1~deb10u7 (buster)

Multiple vulnerabilities have been discovered in the Apache HTTP server, which may result in remote code execution, privilege escalation, denial of service or information disclosure.

Debian Contributions: Detecting undeclared file conflicts, contributors.debian.org mini-sprint, security-tracker performance and more! (by Anupa Ann Joseph)

Anupa Ann Joseph — Fri, 15 May 2026 00:00:00 +0000

Debian Contributions: 2026-04

Undeclared file conflicts, by Helmut Grohne

The duplication checker, the Multi-Arch hinter, and the /usr-move analyzer share significant parts of their code. While the /usr-move transition is complete, the other tools needed a bit of love. Helmut added Python type annotations, slightly improved the performance of the duplication website and shared more code between these tools.

Building upon this Helmut looked into file conflicts of various kinds such as unrelated packages installing overlapping files, file type conflicts, mismatching directory metadata and shared files of Multi-Arch: same packages with varying content. Implementing reliable detection proved to be difficult due to the amount of corner cases. So Helmut semi-manually filed bugs. In that process, it became apparent that binNMUs do not reproduce SOURCE_DATE_EPOCH across architectures and therefore some shared files embedding the build date would vary in content. Additionally, a significant number of reports required further correspondence.

contributors.debian.org mini-sprint, by Enrico Zini

Enrico Zini met with Mattia Rizzolo to continue the work started at DebConf 25 on crediting contributions done via salsa, and to catch up with accumulated site issues.

Building on the same kind of infrastructure used to notify tag2upload, salsa.debian.org triggers a webping on pushes and merge request activity, which causes a small JSON payload to be queued in a private directory on contributors.debian.org.

We worked on processing, filtering and aggregating the files in the queue into a private, staging database table. When configuring a data source on the site, it is now possible to configure automated submission of contributions from information in the staging table. This makes it significantly simpler to credit contributors for all teams that use Salsa as their code repository and coordination tool, as the site can take care of the data mining for you.

See more details in the sprint report posted to debian-devel-announce.

MiniDebConf Campinas, by Lucas Kanashiro, Santiago Ruano Rincón and Antonio Terceiro

MiniDebConf Campinas was held between April 23rd and 25th, at the State University of Campinas, and was preceded by a MiniDebcamp between April 20th and 22nd. Freexian was Gold sponsor for the event, and Freexian collaborators were active contributors to the conference success.

Lucas and Santiago delivered a talk about Debian LTS during MiniDebConf Campinas 2026, where they described how the LTS project benefits Debian users and developers, while strengthening Debian itself.

Lucas and Antonio delivered a talk about internship programs in Debian during MiniDebConf Campinas 2026, with the goal of getting students interested in working in and with Debian.

Lucas took part in the MiniDebConf Campinas content team, reviewing/accepting talks and building the schedule.

Antonio led a session where he invited the audience to weigh in on current controversies in Debian. The session presented playful elements as colored signs to denote agree/disagree, and was not recorded, to help people feel more comfortable about speaking up. He might be convinced to lead a similar session at the next DebConf.

Antonio also organized a debate to discuss the consequences of new Brazilian regulation for the protection of children and adolescents in digital spaces for Debian and other free operating systems, but also for the free software community in general. This session was very fruitful and will lead into further actions, as one of the main outcomes was the realization that the free software community must follow the discussion leading up to similar regulations more closely to avoid being caught by surprise when they come into effect.

security-tracker performance, by Helmut Grohne and Emilio Pozuelo Monfort

Prompted by spontaneous influx of web requests on Freexian’s security-tracker back in February, we considered the options for managing that demand. One of our mitigations was making it faster. To that end, Helmut sent two MRs towards improving the situation. There are four notable improvements. The use of Python’s str.translate generally speeds up rendering of larger templates. Indexing the CVE names avoids a costly sequential table scan. Avoiding FFI calls while sorting and reducing the queryset speeds up the source package view. Emilio reviewed and deployed the changes on to the Debian instance. Together these changes provide a twofold speedup on both Freexian’s and Debian’s instance on average.

dput-ng data loss bug, by Colin Watson

Ian Jackson (not affiliated with Freexian) reported that dput-ng could lose data when using the local install method, which could cause misleading results in tests of other packages; they also filed an initial merge request to fix it. Colin improved this to isolate its tests properly, and uploaded it.

Miscellaneous contributions

Lucas coordinated the src:valkey update to version 9 in unstable with a potential co-maintainer.
Lucas provided a security update for src:valkey targeting “trixie”.
Thorsten did two uploads of foo2zjs, one to fix a bug and one to improve packaging. As there have been several CVEs published for cups he also did an upload of a new upstream version. Unfortunately this introduces a regression and another upload was needed to take care of a crash. The patch for one CVE also broke a test script, which is used by lots of printing packages in Debian. As a result some autopkgtest runs failed. This could be fixed as well and the only remaining issue that needs some more investigation is related to cups-pdf. It is also worth mentioning that some issues related to the apparmor configuration of cups could be resolved.
Helmut sent patches for 11 cross build failures.
Helmut sent a MR for enabling the new mainline YT6801 ethernet Linux driver and it is now working fine with Debian’s 7.x kernels.
Helmut upgraded a crossqa.debian.net autobuilder to “trixie”.
Carles using po-debconf-manager, improved Catalan translations: reviewed 2 packages, submitted 3 packages, deleted 5 packages.
Carles did further code developments for check-relations: steps towards making it production ready when the initial round of reports are analyzed. New “show-package” (information) command, improvements for “report_missing” cases, added support for ignoring packages for specific reasons, added unit tests, added CI. Used it to open 39 new bugs. Also followed up different open bugs
Raphaël completed the French translation of Zulip for the release of version 12.0. Zulip is a nice 100% free software threaded communication platform for distributed teams.
Stefano did routine uploads of python-pipx, python-mitogen, platformdirs, python-authlib, python-discovery, distro-info-data, python-virtualenv, python-certifi, python-wheel, pypy3.
Stefano uploaded distro-info-data updates to stable and oldstable proposed updates, with the latest Ubuntu release.
Stefano took part in DebConf 26 preparation meetings.
Stefano prepared DebConf’s online video streaming infrastructure for MiniDebConf Campinas, and configured the Debian reimbursement system to handle their travel bursary claims.
Stefano helped MiniDebConf Hamburg prepare their website for 2027.
Stefano did some sysadmin work on debian.social infrastructure.
Stefano reviewed Matthias’ python3.15 packaging and rebased his work on top of it.
Antonio implemented several improvements to the Debian CI platform, including but not limited to adding support for dark mode, dropping compatibility with ActiveRecord < 7 which is no longer shipped in Debian stable, and generating content-based links to static assets, in two parts.
Antonio debugged a general slowness in salsa, caused by loss of IPv6 connectivity between the salsa host and the remote object storage in “the cloud”, which is a problem due to an open upstream bug in gitlab.
Santiago reviewed different changes to the Salsa CI pipeline, including the new uscan test job, prepared by Thaís Rebouças Araujo, and the final review to introduce faketime testing, made by Áquila Macedo.
Santiago continued helping the DebConf 26 local team to prepare the conference.
Emilio updated libxpm to address a security issue.
Colin finished upgrading groff to 1.24.1; 1.24.0 and 1.24.1 were the first upstream releases since 2023 and had extensive changes, so this took some time to get right.
Colin released “bookworm” and “trixie” fixes for CVE-2026-3497 in openssh, and issued the corresponding BSA-130 for trixie-backports.
Colin upgraded openssh to 10.3p1.
Anupa worked on the accounting tasks for MiniDebConf Kanpur and prepared and submitted a report to the fiscal host.

ELA-1717-1 pyasn1 security update (by )

Wed, 13 May 2026 20:10:09 -0300

Package : pyasn1

Version : 0.1.9-2+deb9u2 (stretch), 0.4.2-3+deb10u2 (buster)

Related CVEs : CVE-2026-30922

pyasn1 is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. This vulnerability can force the decoder to recursively call itself until the Python interpreter crashes with a RecursionError or consumes all available memory, crashing the host application.

ELA-1716-1 rails security update (by )

Mon, 11 May 2026 18:52:51 +0200

Package : rails

Version : 2:5.2.2.1+dfsg-1+deb10u6 (buster)

Multiple vulnerabilities were discovered in Ruby on Rails, a MVC Ruby-based framework for web development. An attacker may escalate to RCE (remote code execution), launch DoS (denial-of-service) and XSS (cross-site scripting) attacks, leak sensitive content, or pollute terminal output.

In particular, this update addresses CVE-2022-32224 which targets applications leveraging YAML-serialized columns in Active Record.

Common and safe YAML serialization is handled by this fix (support for primary Ruby data types and Symbol, as well as newly-serialized HashWithIndifferentAccess objects).

However, if your application serializes other classes as YAML, see the following page to reference these classes in config.active_record.yaml_column_permitted_classes, or disable protection entirely (not recommended, at your own risks) with config.active_record.use_yaml_unsafe_load=true.
https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017

CVE-2022-32224

A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an RCE.
CVE-2022-44566

A denial of service vulnerability present in ActiveRecord’s PostgreSQL adapter. When a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service.
CVE-2023-22792

A regular expression based DoS vulnerability in Action Dispatch. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking.
CVE-2023-22795

A regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking.
CVE-2023-22796

A regular expression based DoS vulnerability in Active Support. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking.
CVE-2023-23913

There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML content from the clipboard that includes a data-method, data-remote or data-disable-with attribute.
CVE-2023-28120

A vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.
CVE-2023-28362

The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header.
CVE-2023-38037

ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current umask settings, meaning that it’s possible for other users on the same system to read the contents of the temporary file.
CVE-2024-41128

A possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability.
CVE-2024-47887

A possible ReDoS vulnerability in Action Controller’s HTTP Token authentication. For applications using HTTP Token authentication via authenticate_or_request_with_http_token or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability.
CVE-2024-47889

A possible ReDoS vulnerability in the block_format helper in Action Mailer. Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability.
CVE-2024-54133

A possible Cross Site Scripting (XSS) vulnerability in the content_security_policy helper of Action Pack. Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.
CVE-2025-24293

Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allowing for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters.
CVE-2025-55193

In Active Record logging, the ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences.

Debusine workflow performance issues (by Colin Watson)

Colin Watson — Mon, 11 May 2026 00:00:00 +0000

During March and April, we had a number of performance issues that made Debusine’s core functions of running work requests and reflecting their results in workflows quite unreliable. Investigating and fixing this took up a lot of time from both the Debusine development team and Freexian’s sysadmins.

The central problems involved a series of database concurrency and worker communication issues that interacted in complex ways. On bad days, this caused between 10% and 25% of processed work requests to fail unnecessarily. We communicated some of the problems to users on IRC, but not consistently since we didn’t entirely understand the scope of the problems at the time.

Most of the problems are fixed now, but we had a retrospective meeting to make sure we understood what happened and that we learn from it. Here’s a summary.

Data model

Debusine’s workflows consist of many individual work requests. Each work request has a database row representing its state, which means that the overall state of a workflow is distributed across many rows. Changes to one work request (for example, when it is completed) can cause changes to other work requests (perhaps unblocking it so that it can be scheduled to an idle worker). Those changes may happen concurrently, and in practice often do.

Workers typically need to create artifacts containing the output of tasks: these include things like packages, build logs, and test output.

Debusine records task history so that it can make better decisions about how to schedule work requests. Since this might otherwise grow without bound, the server expires older parts of that history after a while. The same is true for many other kinds of data.

Causes

Because workflows involve changes that propagate between work requests, there were historically some cases where different parts of the system could deadlock due to trying to take update locks on overlapping sets of work request rows in different orders. We mitigated that somewhere around 2025-11-05 by locking entire workflows in one go before making any change that might need to propagate between work requests like this; that dealt with the deadlocks, but it’s quite a heavyweight locking strategy that sometimes caused significant delays.
We’ve been working for some time to make Debusine useful to Debian developers, and regression tracking is an important part of that: it lets developers test uploads without being too badly misled by tests in related packages that were already failing before they started. On 2026-03-11 we enabled this by default on debusine.debian.net, after testing it for a while. Although this is useful, it put more load on the system as a whole, often approximately doubling the number of work requests in a given workflow with many additional dependencies between them.
Like much of the world, we’re in an arms race with unethical scrapers desperately trying to feed everyone else’s data into LLMs before they run out of money. We saw a substantial uptick here towards the end of March, which meant that we had to temporarily disable regression tracking and to put some other mitigations in front of our web interface.
We historically haven’t had systematic internal timeouts. Prompted by ruff, a Google Summer of Code applicant went through and added timeouts in many places, including some calls between the worker and the server. This was fiddly work and the student did a solid job, so I’m not putting them on blast or anything! However, it did mean that some things that came in under load balancer timeouts now timed out earlier on the client side of the request (and hence in Debusine workers), which made some problems show up in different ways and be more obvious. This was deployed on 2026-04-03.

Fixes

Workflow orchestration

Figuring out what individual work requests need to be run as part of a workflow - the process we call “orchestration” - can be challenging. Unlike typical CI pipelines, these workflows often span substantial chunks of a distribution: a glibc update can involve retesting nearly everything! Nevertheless, it’s not particularly helpful for it to take hours just to build the workflow graph.

Fixing this involved many classic database optimizations such as adding indexes and CTEs, but probably the most effective fix was adding a cache for lookups within each orchestrator run or work request. Profiling showed that resolving lookups was a hot spot, and the way that task data is often passed down through a workflow meant that the same lookup could be resolved hundreds or thousands of times in a large workflow.

Expiry

We knew for quite some time that our expiry job took very aggressive locks, effectively blocking most of the rest of the system. This was an early decision to make the expiry logic simpler by allowing it to follow graphs without worrying about concurrent activity, but it clearly couldn’t stay that way forever.

Row locks in PostgreSQL was very helpful in figuring out the correct approach here. Since we’re mainly concerned about the possibility of new foreign key references being created to artifacts we’re considering for expiry, and since that would involve taking FOR KEY SHARE locks on those rows, we can explicitly take FOR UPDATE locks (which conflict with FOR KEY SHARE), and then recompute the set of artifacts to expire with any locked artifacts marked to keep. This was delicate work, but it saved minutes of downtime every day.

Whole-workflow locking

I mentioned earlier that we avoided some deadlock issues by taking locks on entire workflows. To ensure that these locks are effective even against code that isn’t specifically aware of them, this is implemented by using SELECT FOR UPDATE on all the work request rows in the workflow. In some cases the search for which rows to lock itself tripped up the PostgreSQL planner.

Scheduling

We run multiple Celery workers for various purposes. Some of them can do many things in parallel, but in some specific cases (notably the task scheduler) we only ever want a single instance to run at once. Unfortunately a bug in the systemd service meant that the scheduler often ran concurrently anyway! Once we fixed that, the scheduler logs became a lot less confusing.

When Debusine was small, it was reasonable for it to perform scheduling very aggressively, typically as soon as any change occurred to a work request or a worker that might possibly influence it. This doesn’t scale very well, though, and even though we tried to batch multiple scheduling triggers that occurred within a single transaction, it could still make debugging very confusing. We reduced the number of changes that would result in immediate scheduling, and deferred everything else to a regular “tick”.

The scheduler may not be able to assign a work request to an idle worker due to the workflow being locked. That isn’t a major problem in itself; it can just try again later. However, in very large workflows, we found that it often worked its way down all the pending work requests one by one finding that each of them was locked, which was slow and also produced a huge amount of log noise. It now assumes that if a work request is locked, then it might as well skip other work requests in the same workflow until the next scheduler run.

Between them, these changes reduced the number of locks typically being held on debusine.debian.net by about 80%:

Worker refactoring

The Debusine worker has always been partially asynchronous, but while it was actually executing a task - in other words, most of the time, at least in busy periods - it didn’t respond to inbound websocket messages, causing spurious disconnections. We restructured the whole worker to be fully event-based.

We also had to put quite a bit of effort into improving the path by which workers report work request completion, because if that hits a timeout then it can mean throwing away hours of work. We have some further improvements in mind, but for now we defer most of this work to a Celery task so that whole-workflow locks aren’t on the critical path.

Database write volume

One of our sysadmins observed that our database write volume was consistently very high. This was a puzzle, but for a long time we left that unexplored. Eventually we thought to ask PostgreSQL’s own statistics, and we found a surprise:

debusine=> SELECT relname AS table_name,
debusine->        n_tup_ins AS inserts,
debusine->        n_tup_upd AS updates,
debusine->        n_tup_del AS deletes,
debusine->        (n_tup_ins + n_tup_upd + n_tup_del) AS total_dml
debusine-> FROM pg_stat_user_tables
debusine-> WHERE (n_tup_ins + n_tup_upd + n_tup_del) > 0
debusine-> ORDER BY total_dml DESC
debusine-> LIMIT 20;
              table_name              | inserts |  updates   | deletes | total_dml
--------------------------------------+---------+------------+---------+------------
 db_collectionitem                    | 1418251 | 3578202388 | 3630143 | 3583250782
 db_token                             |   15143 |   11212106 |   11389 |   11238638
 db_workrequest                       |  386196 |    6399071 | 1820500 |    8605767
 db_fileinartifact                    | 2783021 |    1837929 | 1663887 |    6284837
 django_celery_results_taskresult     | 1819301 |    1501623 | 1791656 |    5112580
 db_artifact                          |  960077 |    3340859 |  663890 |    4964826
 db_collectionitemmatchconstraint     | 1550457 |          0 | 2207486 |    3757943
 db_artifactrelation                  | 2229382 |          0 | 1363825 |    3593207
 db_fileupload                        | 1023400 |    1057036 | 1023346 |    3103782
 db_file                              | 1673194 |          0 |  970252 |    2643446
 db_fileinstore                       | 1411995 |          0 |  970259 |    2382254
 db_filestore                         |       0 |    2381578 |       0 |    2381578
 django_session                       |  645423 |    1519880 |     531 |    2165834
 db_workrequest_dependencies          |  365877 |          0 |  936537 |    1302414
 db_worker                            |   18317 |     949280 |    9487 |     977084
 db_collection                        |   10061 |         85 |  177741 |     187887
 db_workerpooltaskexecutionstatistics |   28721 |          0 |       0 |      28721
 db_workerpoolstatistics              |    1640 |          0 |       0 |       1640
 db_workflowtemplate                  |     130 |        158 |     649 |        937
 db_identity                          |      76 |        661 |       0 |        737
(20 rows)

Oh my - that’s a lot of db_collectionitem updates and must surely be out of proportion with what we really need. Can we narrow that down by asking about the most recently-updated tuples?

debusine=> SELECT DISTINCT category
debusine-> FROM db_collectionitem
debusine-> WHERE id IN (
debusine->     SELECT id FROM db_collectionitem
debusine->     ORDER BY xmin::text::integer DESC LIMIT 10000
debusine-> );
           category
------------------------------
 debusine:historical-task-run
(1 row)

That might not be absolutely reliable, but it was certainly a hint. As per PostgreSQL’s documentation, by default UPDATE always performs physical updates to every matching row regardless of whether the data has changed, and our code to expire old task history entries wasn’t doing that properly. Once we knew where to look, it was easy to add some extra constraints.

This reduced our mean write volume on debusine.debian.net from about 23 MB/s to about 3 MB/s, which had an immediate knock-on effect on our request failure rate:

Current state

Our metrics indicate that things are a lot better now. We still have a few things to deal with, such as:

Some more performance fixes are on their way to fix some remaining cases where views are very slow or where file uploads from workers fail due to locks.
We have some changes in the works to revamp how work request changes propagate through workflows in a way that doesn’t require so many heavyweight locks.
We have a number of monitoring and alerting improvements we’d like to make, both for outcomes (things like slow Celery tasks) and possible root causes (database performance). We’d also like to deploy some more modern observability tools; hunting for things using journalctl isn’t terrible, but it’s not really the state of the art.
We need to improve how we communicate to users when we’re having operational problems, both informally (IRC, etc.) and on the site.
Retries don’t always behave the way you’d expect in workflows.

I hope this has been an interesting tour through the sorts of things that can go wrong in this kind of distributed system!

Monthly report about Debian Long Term Support, April 2026 (by Thorsten Alteholz)

Thorsten Alteholz — Mon, 11 May 2026 00:00:00 +0000

The Debian LTS Team, funded by Freexian’s Debian LTS offering, is pleased to report its activities for April.

Activity summary

During the month of April, 21 contributors have been paid to work on Debian LTS (links to individual contributor reports are located below).

The team released 37 DLAs fixing 145 CVEs.

The team continued preparing security updates in its usual rhythm. Beyond the updates targeting Debian 11 (“bullseye”), which is the current release under LTS, the team also proposed updates for more recent releases (Debian 12 (“bookworm”) and Debian 13 (“trixie”)), including Debian unstable. We highlight several notable security updates here below.

Andrej Shadura prepared DLA 4525-1 for libyaml-syck-perl to fix a vulnerability related to a memory leak.
Andrej also prepared DLA 4551-1 for mbedtls to fix a leak of secrets.
Arnaud Rebillout prepared DLA 4532-1 for python3.9 to fix a use-after-free issue in several decompressors.
Arnaud also prepared DLA 4533-1 for systemd to fix multiple vulnerabilities, which might be also used to execute arbitrary code.
Bastien Roucariès prepared DLA 4529-1 for bind9 to fix a DNSSEC issues, which can cause the resolver to consume excessive CPU.
Bastien also prepared DLA 4539-1 for imagemagick to fix 21 vulnerabilities.
Emilio Pozuelo Monfort prepared DLA 4535-1 for openssh to fix a potentially execution of arbitrary code.
Emilio also Monfort prepared DLA 4526-1, DLA 4546-1 and DLA 4555-1 for firefox-esr to fix 31 vulnerabilities.
Jochen Sprickerhof prepared DLA 4524-1 for postgresql-13 to fix multiple vulnerabilities, which might be also used to execute arbitrary code.
Sylvain Beucler prepared DLA 4538-1 for perl to fix unauthorized access to data or arbitrary code execution.
Thorsten Alteholz prepared DLA 4545-1 for packagekit to fix a local privilege escalation.
Thorsten also prepared DLA 4544-1 for ntfs-3g to fix a local privilege escalation.
Tobias Frost prepared DLA 4521-1 for libpng1 to fix multiple vulnerabilities, which might be also used to execute arbitrary code.

Contributions from outside the LTS Team:

As usual, the thunderbird updates, released as DLA 4534-1 and DLA 4549-1, were prepared by its maintainer Christoph Goehre. This month 28 CVEs has been fixed. Thanks a lot for his continuous contributions. The DLAs have been sent by Emilio.
Thanks alot as well to Mathias Behrle for providing DLA 4543-1 for package simpleeval. The DLA has been sent by Santiago.

The LTS Team has also contributed with updates to the latest Debian releases:

Andreas Henriksson completed the upload of gvfs for trixie and bookworm
Ben Hutchings did uploads of several kernel packages to unstable and the corresponding backports repositories.
Sylvain took care of uploads of awstats to trixie and bookworm. He also did the same for 7zip-rar with an upload to bookworm-backports).

Some milestones in the lifecycle of two Debian releases are just around the corner. The support of Debian 12 will be handed over to the LTS team on June 11th 2026. After August 31st, support for Debian 11 will move from Debian LTS to ELTS managed by Freexian.

Individual Debian LTS contributor reports

Thanks to our sponsors

Sponsors that joined recently are in bold.

Platinum sponsors:
- Toshiba Corporation (for 127 months)
- Civil Infrastructure Platform (CIP) (for 95 months)
- VyOS Inc (for 59 months)
Gold sponsors:
- F. Hoffmann-La Roche AG (for 137 months)
- CONET Deutschland GmbH (for 121 months)
- University of Oxford (for 77 months)
- EDF SA (for 49 months)
- Dataport AöR (for 24 months)
- CERN (for 22 months)
Silver sponsors:
- Domeneshop AS (for 142 months)
- Nantes Métropole (for 136 months)
- Akamai - Linode (for 131 months)
- Univention GmbH (for 128 months)
- Université Jean Monnet de St Etienne (for 128 months)
- Ribbon Communications, Inc. (for 122 months)
- Exonet B.V. (for 111 months)
- Leibniz Rechenzentrum (for 106 months)
- Ministère de l’Europe et des Affaires Étrangères (for 89 months)
- Dinahosting SL (for 77 months)
- Upsun Formerly Platform.sh (for 71 months)
- Moxa Inc. (for 65 months)
- Deveryware (for 64 months)
- sipgate GmbH (for 63 months)
- OVH US LLC (for 61 months)
- Tilburg University (for 61 months)
- GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 52 months)
- THINline s.r.o. (for 25 months)
- Copenhagen Airports A/S (for 19 months)
- Conseil Départemental de l’Isère (for 5 months)
Bronze sponsors:
- Evolix (for 142 months)
- Seznam.cz, a.s. (for 142 months)
- Intevation GmbH (for 139 months)
- Linuxhotel GmbH (for 139 months)
- Daevel SARL (for 138 months)
- Megaspace Internet Services GmbH (for 137 months)
- Greenbone AG (for 136 months)
- NUMLOG (for 136 months)
- WinGo AG (for 135 months)
- Entr’ouvert (for 126 months)
- Adfinis AG (for 124 months)
- Plat’Home (for 120 months)
- Tesorion (for 119 months)
- Laboratoire LEGI - UMR 5519 / CNRS (for 118 months)
- Bearstech (for 110 months)
- LiHAS (for 110 months)
- Catalyst IT Ltd (for 105 months)
- Demarcq SAS (for 99 months)
- Université Grenoble Alpes (for 85 months)
- TouchWeb SAS (for 77 months)
- SPiN AG (for 74 months)
- CoreFiling (for 70 months)
- Observatoire des Sciences de l’Univers de Grenoble (for 61 months)
- Tem Innovations GmbH (for 56 months)
- WordFinder.pro (for 55 months)
- CNRS DT INSU Résif (for 54 months)
- Soliton Systems K.K. (for 49 months)
- Alter Way (for 47 months)
- SOBIS Software GmbH (for 22 months)
- Tuxera Inc. (for 13 months)
- OPM-OP AS (for 5 months)

ELA-1715-1 linux-6.1 security update (by )

Sat, 09 May 2026 23:39:41 +0200

Package : linux-6.1

Version : 6.1.170-3~deb9u1 (stretch), 6.1.170-3~deb10u1 (buster)

Related CVEs : CVE-2026-43284 CVE-2026-43500

Two vulnerabilities have been discovered in the Linux kernel that may lead to local privilege escalation.

ELA-1714-1 openjdk-8 security update (by )

Sat, 09 May 2026 11:05:07 +0200

Package : openjdk-8

Version : 8u492-ga-1~deb9u1 (stretch)

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in incorrect generation of cryptographic keys, denial of service, information disclosure, XXE/XEE attacks or incorrect validation of Kerberos credentials.

ELA-1713-1 linux-5.10 security update (by )

Sat, 09 May 2026 01:18:31 +0200

Package : linux-5.10

Version : 5.10.251-4~deb9u1 (stretch), 5.10.251-4~deb10u1 (buster)

Related CVEs : CVE-2026-43284 CVE-2026-43500

Two vulnerabilities have been discovered in the Linux kernel that may lead to local privilege escalation.

ELA-1712-1 libdatetime-timezone-perl new timezone database (by )

Thu, 07 May 2026 10:09:15 +0200

Package : libdatetime-timezone-perl

Version : 1:2.09-1+2026b (stretch), 1:2.23-1+2026b (buster)

This update includes the changes in tzdata 2026b for the Perl bindings.

ELA-1711-1 tzdata new timezone database (by )

Thu, 07 May 2026 10:05:19 +0200

Package : tzdata

Version : 2026b-0+deb9u1 (stretch), 2026b-0+deb10u1 (buster)

This update includes the changes in tzdata 2026b. Notable changes are:

British Columbia moved to permanent -07 on 2026-03-09, so it will not fall back from -07 to -08 on 2026-11-01.
Updated leap second list, which was set to expire by the end of June.

ELA-1710-1 imagemagick security update (by )

Thu, 07 May 2026 02:20:35 +0200

Package : imagemagick

Version : 8:6.9.7.4+dfsg-11+deb9u28 (stretch)

ELA-1709-1 lcms2 security update (by )

Wed, 06 May 2026 11:59:38 -0700

Package : lcms2

Version : 2.8-4+deb9u2 (stretch), 2.9-3+deb10u1 (buster)

Related CVEs : CVE-2026-41254

An integer overflow issue was discovered in Little CMS.

ELA-1708-1 openjdk-11 security update (by )

Wed, 06 May 2026 14:07:28 +0200

Package : openjdk-11

Version : 11.0.31+11-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in incorrect generation of cryptographic keys, denial of service, information disclosure, XEE/XEE attacks or incorrect validation of Kerberos credentials.

ELA-1707-1 pyjwt security update (by )

Tue, 05 May 2026 16:31:18 +0200

Package : pyjwt

Version : 1.4.2-1+deb9u2 (stretch), 1.7.0-2+deb10u1 (buster)

Related CVEs : CVE-2026-32597

It was discovered that PyJWT, a Python implementation of JSON Web Token did not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC.

ELA-1706-1 imagemagick security update (by )

Sun, 03 May 2026 10:09:38 +0200

Package : imagemagick

Version : 8:6.9.10.23+dfsg-2.1+deb10u17 (buster)

ELA-1705-1 linux-6.1 security update (by )

Sat, 02 May 2026 22:18:58 -0300

Package : linux-6.1

Version : 6.1.170-1~deb9u1 (stretch), 6.1.170-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

ELA-1704-1 linux-5.10 security update (by )

Sat, 02 May 2026 22:13:14 -0300

Package : linux-5.10

Version : 5.10.251-3~deb9u1 (stretch), 5.10.251-3~deb10u1 (buster)

Related CVEs : CVE-2026-31431 CVE-2026-43033

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

ELA-1702-1 policykit-1 security update (by )

Thu, 30 Apr 2026 10:52:53 +0200

Package : policykit-1

Version : 0.105-18+deb9u3 (stretch)

Related CVEs : CVE-2026-4897

Pavel Kohout, Aisle Research found that a local user provide a specially crafted, excessively long input to the polkit-agent-helper-1 setuid binary via standard input (stdin). This unbounded input can lead to an out-of-memory (OOM) condition, resulting in a Denial of Service (DoS) for the system.

ELA-1703-1 policykit-1 security update (by )

Thu, 30 Apr 2026 10:52:53 +0200

Package : policykit-1

Version : 0.105-18+deb9u3 (stretch)

Related CVEs : CVE-2018-1116 CVE-2019-6133 CVE-2026-4897

CVE-2018-1116

Matthias Gerstner of the SUSE security team found a local information disclosure and denial of service caused by trusting client-submitted UIDs when referencing processes.

CVE-2019-6133

Jann Horn of Google Project Zero found that a kernel vulnerability (Slowfork) allowed local privilege escalation. (This problem was also mitigated by changes to how start_time for forked process are handled in Linux.)

CVE-2026-4897

ELA-1701-1 systemd security update (by )

Wed, 29 Apr 2026 14:53:13 +0200

Package : systemd

Version : 232-25+deb9u18 (stretch)

Related CVEs : CVE-2026-4105 CVE-2026-40225

The following vulnerabilities have been discovered systemd:

CVE-2026-4105: The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.
CVE-2026-40225: udev: local root execution can occur via malicious hardware devices and unsanitized kernel output.

ELA-1700-1 systemd security update (by )

Wed, 29 Apr 2026 14:52:45 +0200

Package : systemd

Version : 241-7~deb10u12 (buster)

The following vulnerabilities have been discovered systemd:

CVE-2026-4105: The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.
CVE-2026-29111: When an unprivileged IPC API call is made with spurious data, a stack overwrite occurs, with the attacker controlled content.
CVE-2026-40225: udev: local root execution can occur via malicious hardware devices and unsanitized kernel output.
CVE-2026-40226: nspawn: an escape-to-host action can occur via a crafted optional config file.

ELA-1699-1 ffmpeg security update (by )

Tue, 28 Apr 2026 22:00:16 -0300

Package : ffmpeg

Version : 7:3.2.19-0+deb9u8 (stretch)

Several issues have been found in ffmpeg, a library and tools for transcoding, streaming and playing of multimedia files.

CVE-2020-22027: A heap-based Buffer Overflow vulnerability exits in FFmpeg 4.2 in deflate16 at libavfilter/vf_neighbor.c, which might lead to memory corruption and other potential consequences.
CVE-2023-6603: A flaw was found in FFmpeg’s HLS playlist parsing. This vulnerability allows a denial of service via a maliciously crafted HLS playlist that triggers a null pointer dereference during initialization.
CVE-2025-1594: A vulnerability, which was classified as critical, was found in FFmpeg up to 7.1. This affects the function ff_aac_search_for_tns of the file libavcodec/aacenc_tns.c of the component AAC Encoder. The manipulation leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-7700: A flaw was found in FFmpeg’s ALS audio decoder, where it does not properly check for memory allocation failures. This can cause the application to crash when processing certain malformed audio files. While it does not lead to data theft or system control, it can be used to disrupt services and cause a denial of service.
CVE-2025-9951: A heap-buffer-overflow write exists in jpeg2000dec FFmpeg which allows an attacker to potentially gain remote code execution or cause denial of service via the channel definition cdef atom of JPEG2000.
CVE-2025-10256: A NULL pointer dereference vulnerability exists in FFmpeg’s Firequalizer filter (libavfilter/af_firequalizer.c) due to a missing check on the return value of av_malloc_array() in the config_input() function. An attacker could exploit this by tricking a victim into processing a crafted media file with the Firequalizer filter enabled, causing the application to dereference a NULL pointer and crash, leading to denial of service.

ELA-1698-1 libde265 security update (by )

Mon, 27 Apr 2026 14:36:08 +0200

Package : libde265

Version : 1.0.11-0+deb9u7 (stretch), 1.0.11-0+deb10u7 (buster)

It was found that libde265, an open source implementation of the H.265 video codec, had multiple vulnerabilities which included both stack and heap out of bound writes that could lead to denial of service, etc.

ELA-1697-1 distro-info-data database update (by )

Sat, 25 Apr 2026 14:00:48 -0400

Package : distro-info-data

Version : 0.41+deb10u2~bpo9+10 (stretch), 0.41+deb10u14 (buster)

This is a routine update of the distro-info-data database for Debian ELTS users.

It updates the EoL date for bookworm and adds Ubuntu 26.10 “Stonking Stingray”.

ELA-1696-1 imagemagick security update (by )

Sat, 25 Apr 2026 18:16:13 +0200

Package : imagemagick

Version : 8:6.9.7.4+dfsg-11+deb9u27 (stretch)

Multiple security vulnerabilities were discovered in imagemagick, a software suite used for editing and manipulating digital images, which could lead to symlink races, information leaks, denial of service and potentially arbitrary code execution.

ELA-1695-1 pillow security update (by )

Fri, 24 Apr 2026 20:19:35 +0200

Package : pillow

Version : 5.4.1-2+deb10u7 (buster)

Multiple vulnerabilties have been found in pillow, an image processing library for Python with potential effects of denial of service due to resource exhaustion or infinite loop.

CVE-2021-25293

There is an out-of-bounds read in SGIRleDecode.c.

CVE-2021-28675

PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load.

CVE-2021-28676

For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.

CVE-2022-24303

Allows attackers to delete files because spaces in temporary pathnames are mishandled.

ELA-1694-1 pillow security update (by )

Fri, 24 Apr 2026 20:18:02 +0200

Package : pillow

Version : 4.0.0-4+deb9u7 (stretch)

Multiple vulnerabilties have been found in pillow, an image processing library for Python with potential effects of denial of service due to resource exhaustion.

CVE-2019-16865 When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.

CVE-2021-27922

Denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.

CVE-2021-27923

Denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.

CVE-2021-28675

PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load.

Monthly report about Debian Long Term Support, March 2026 (by Santiago Ruano Rincón)

Santiago Ruano Rincón — Fri, 24 Apr 2026 00:00:00 +0000

The Debian LTS Team, funded by [Freexian’s Debian LTS offering] (https://www.freexian.com/lts/debian/), is pleased to report its activities for March.

Activity summary

During the month of March, 20 contributors have been paid to work on Debian LTS (links to individual contributor reports are located below).

The team released 24 DLAs fixing 250 CVEs.

We also welcomed two new members: Lukas Märdian and Emmanuel Arias to the team, who actually started to contribute to the LTS project several months ago.

ansible (DLA 4502-1), prepared by Lee Garret in collaboration with Jochen, fixing a vulnerability that allows attackers to bypass unsafe content protections
asterisk (DLA 4515-1), prepared by Lukas Märdian, fixing four CVEs that include possible privilege escalations.
gimp (DLA 4500-1), prepared by Thorsten, fixing four CVEs related to denial of service or execution of arbitrary code.
gst-plugins-base1.0 and gst-plugins-ugly1.0 (DLA-4514-1, DLA-4516-1, respectively), both prepared by Utkarsh, addressing vulnerabilities that may yield to arbitrary code execution.
imagemagick, released by Bastien Roucariès (DLA 4497-1) fixing multiple vulnerabilities that could lead to information leaks, bypass of security policies, denial of service or arbitrary code execution.
libpng1.6 (DLA 4521-1), prepared by Tobias Frost, fixing an arbitrary code execution vulnerability
linux: Ben Hutchings released DLA 4498-1 and DLA 4499-1 for linux 5.10 and linux 6.1, respectively. Those updates especially address the “CrackArmor” flaw.
ruby-rack (DLA 4505-1), prepared by Utkarsh Gupta, addressing two vulnerabilities
strongswan (DLA 4512-1), prepared by Thorsten Alteholz, fixing a Denial of Service vulnerability
roundcube (DLA 4517-1) prepared by Guilhem Moulin, who discovered that one of the fixes provided by upstream was incomplete.

Contributions from outside the LTS Team:

As usual, the thunderbird update, released as DLA 4511-1, was prepared by its maintainer Christoph Goehre. Thanks a lot for his continuous contributions.

The LTS Team has also contributed with updates to the latest Debian releases:

Andreas Henriksson completed the uploads of glib2.0 for both trixie and bookworm
Arnaud Rebillout: python-cryptography for trixie
Arnaud and Bastien worked together to prepare a ca-certificates-java release for unstable
Bastien completed the upload of gpsd for trixie that was proposed in January.
Bastien uploaded a regression update of apache2 for trixie
Bastien prepared a zabbix point update for trixie
Bastien in collaboration with Markus released netty updates for trixie and bookworm DSA 6160-1
Daniel Leidert proposed python-tornado releases for both trixie and bookworm.
Daniel also prepared a python-authlib update for trixie
Guilhem prepared a mapserver update for bookworm.
Lucas Kanashiro proposed merge requests to fix three CVEs in erlang for both trixie and bookworm
Sylvain Beucler continued the work to replace p7zip with 7zip in the different supported releases, and proposed a point update for bookworm
Tobias prepared trixie and bookworm security updates, released as DSA-6189-1
Utkarsh prepared trixie and bookworm security update for ruby-rack, released as DSA-6180-1

Individual Debian LTS contributor reports

Thanks to our sponsors

Sponsors that joined recently are in bold.

Platinum sponsors:
- Toshiba Corporation (for 126 months)
- Civil Infrastructure Platform (CIP) (for 94 months)
- VyOS Inc (for 59 months)
Gold sponsors:
- F. Hoffmann-La Roche AG (for 137 months)
- CONET Deutschland GmbH (for 120 months)
- University of Oxford (for 77 months)
- EDF SA (for 48 months)
- Dataport AöR (for 23 months)
- CERN (for 21 months)
Silver sponsors:
- Domeneshop AS (for 141 months)
- Nantes Métropole (for 135 months)
- Akamai - Linode (for 131 months)
- Univention GmbH (for 127 months)
- Université Jean Monnet de St Etienne (for 127 months)
- Ribbon Communications, Inc. (for 121 months)
- Exonet B.V. (for 111 months)
- Leibniz Rechenzentrum (for 105 months)
- Ministère de l’Europe et des Affaires Étrangères (for 89 months)
- Dinahosting SL (for 76 months)
- Upsun Formerly Platform.sh (for 71 months)
- Moxa Inc. (for 65 months)
- Deveryware (for 64 months)
- sipgate GmbH (for 62 months)
- OVH US LLC (for 60 months)
- Tilburg University (for 60 months)
- GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 52 months)
- THINline s.r.o. (for 24 months)
- Copenhagen Airports A/S (for 18 months)
- Conseil Départemental de l’Isère (for 4 months)
Bronze sponsors:
- Seznam.cz, a.s. (for 142 months)
- Evolix (for 141 months)
- Linuxhotel GmbH (for 139 months)
- Intevation GmbH (for 138 months)
- Daevel SARL (for 137 months)
- Megaspace Internet Services GmbH (for 136 months)
- Greenbone AG (for 135 months)
- NUMLOG (for 135 months)
- WinGo AG (for 134 months)
- Entr’ouvert (for 126 months)
- Adfinis AG (for 123 months)
- Plat’Home (for 120 months)
- Laboratoire LEGI - UMR 5519 / CNRS (for 118 months)
- Tesorion (for 118 months)
- Bearstech (for 110 months)
- LiHAS (for 110 months)
- Catalyst IT Ltd (for 104 months)
- Demarcq SAS (for 98 months)
- Université Grenoble Alpes (for 84 months)
- TouchWeb SAS (for 76 months)
- SPiN AG (for 73 months)
- CoreFiling (for 69 months)
- Observatoire des Sciences de l’Univers de Grenoble (for 61 months)
- Tem Innovations GmbH (for 55 months)
- WordFinder.pro (for 55 months)
- CNRS DT INSU Résif (for 54 months)
- Soliton Systems K.K. (for 49 months)
- Alter Way (for 47 months)
- SOBIS Software GmbH (for 21 months)
- Tuxera Inc. (for 13 months)
- OPM-OP AS (for 4 months)

ELA-1693-1 packagekit security update (by )

Wed, 22 Apr 2026 16:11:11 +0200

Package : packagekit

Version : 1.1.5-2+deb9u3 (stretch), 1.1.12-5+deb10u1 (buster)

Related CVEs : CVE-2026-41651

Maik Schaefer discovered that a TOCTOU race condition in PackageKit (a package management service over a DBus interface) could result in local privilege escalation.

ELA-1692-1 inetutils security update (by )

Wed, 22 Apr 2026 13:14:35 +0200

Package : inetutils

Version : 2:1.9.4-2+deb9u5 (stretch), 2:1.9.4-7+deb10u5 (buster)

Multiple vulnerabilities where found in telnetd (server) and telnet (client) found in the GNU inetutils suite. The vulnerabilities includes reading arbitrary environment variables from the connecting client (information disclosure), out of bounds write in the server (potential remote code execution) and potentially abusing the service credentials support in util-linux login 2.40 which in not part of Debian buster or stretch, but could potentially be a problem if the local system administrator would decide to update to a newer version on their own accord.

ELA-1691-1 libapache2-mod-auth-openidc security update (by )

Wed, 22 Apr 2026 10:34:20 +0200

Package : libapache2-mod-auth-openidc

Version : 2.1.6-1+deb9u2 (stretch)

Several vulnerabilities were found in mod_auth_openidc, an OpenID Certified authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality.

An unauthenticated attacker may cause Denial-of-Service (DoS) through crafted HTTP requests, facilitate a fishing campaign leveraging open directions by sending crafted links to a victim, or inject JavaScript code (XSS).

CVE-2021-32786

oidc_validate_redirect_url() does not parse URLs the same way as most browsers do. As a result, this function can be bypassed and leads to an Open Redirect vulnerability in the logout functionality.
CVE-2021-32792

XSS vulnerability in when using OIDCPreservePost On.
CVE-2021-39191

The 3rd-party init SSO functionality of mod_auth_openidc was reported to be vulnerable to an open redirect attack by supplying a crafted URL in the target_link_uri parameter.
CVE-2022-23527

When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() does not properly check for URLs that start with /\t, leading to an open redirect.
CVE-2023-28625

When OIDCStripCookies is set and a crafted cookie supplied, a NULL pointer dereference would occur, resulting in a segmentation fault. This could be used in a Denial-of-Service attack and thus presents an availability risk.
CVE-2024-24814

Input validation on mod_auth_openidc_session_chunks cookie value makes the server vulnerable to a denial of service (DoS) attack.
CVE-2025-3891:

Denial of service when sending an empty Content-Type header when the OIDCPreservePost directive is enabled.

ELA-1690-1 imagemagick security update (by )

Tue, 21 Apr 2026 22:44:04 +0200

Package : imagemagick

Version : 8:6.9.10.23+dfsg-2.1+deb10u16 (buster)

Note that SVG and MVG plugins were updated from imagemagick 6.9.13-41 in order to fix some vulnerabilities. This may change some conversion results like bounding box or borders due to small rounding changes.

ELA-1689-1 ntfs-3g security update (by )

Tue, 21 Apr 2026 18:12:17 +0200

Package : ntfs-3g

Version : 1:2016.2.22AR.1+dfsg-1+deb9u6 (stretch), 1:2017.3.23AR.3-4+deb11u4~deb10u2 (buster)

Related CVEs : CVE-2026-40706

Andrea Bocchetti discovered a heap-based buffer overflow in NTFS-3G, a read-write NTFS driver for FUSE. A local user can take advantage of this flaw for local root privilege escalation.

ELA-1688-1 xdg-dbus-proxy security update (by )

Tue, 21 Apr 2026 13:31:04 +0200

Package : xdg-dbus-proxy

Version : 0.1.1-1+deb10u1 (buster)

Related CVEs : CVE-2026-34080

It was discovered that incorrect parsing of policy rules in the xdg-dbus-proxy (a filtering proxy for D-Bus connections) allowed the bypass of eavesdrop restrictions, which could result in information disclosure.

ELA-1687-1 tiff security update (by )

Mon, 20 Apr 2026 12:42:19 +0200

Package : tiff

Version : 4.0.8-2+deb9u15 (stretch), 4.1.0+git191117-2~deb10u12 (buster)

Related CVEs : CVE-2026-4775

Quang Luong discovered a heap overflow in the libtiff library, which may result in denial of service or the execution of arbitrary code if malformed image files are processed.

In addition, the stretch update also fixes a heap buffer overflow read.

ELA-1686-1 mapserver security update (by )

Sat, 18 Apr 2026 16:44:24 +0200

Package : mapserver

Version : 7.0.4-2+deb9u2 (stretch), 7.2.2-1+deb10u2 (buster)

Related CVEs : CVE-2026-33721

A heap-buffer-overflow was found in mapserver, a CGI-based framework for Internet map services, which could lead to Denial of Service via crafted SLD (Styled Layer Descriptor) sent by a remote unauthenticated attacker.

ELA-1685-1 perl security update (by )

Sat, 18 Apr 2026 10:52:18 +0200

Package : perl

Version : 5.24.1-3+deb9u9 (stretch), 5.28.1-6+deb10u3 (buster)

Related CVEs : CVE-2025-40909

Vincent Lefèvre discovered that, in the Perl programming language, at thread creation the current directory may temporarily change in other threads, altering file accesses. Under some conditions, a local attacker may leverage this to access unauthorized data or even inject arbitrary code.

ELA-1676-2 postgresql-11 regression update (by )

Fri, 17 Apr 2026 15:13:09 +0200

Package : postgresql-11

Version : 11.22-0+deb10u8 (buster)

The fix for CVE-2026-2006 introduced a regression in SUBSTRING() for toasted multibyte characters, as discussed in the upstream bug:

https://www.postgresql.org/message-id/19406-9867fddddd724fca@postgresql.org

Also a number of minor upstream fixes for the patches added in 11.22-0+deb10u7 where added:

pg_mblen_range, pg_mblen_with_len: Valgrind after encoding ereport.
Suppress new “may be used uninitialized” warning.
Fix test_valid_server_encoding helper function.
pgcrypto: Tweak error message for incorrect session key length.

ELA-1677-2 postgresql-9.6 regression update (by )

Fri, 17 Apr 2026 15:12:38 +0200

Package : postgresql-9.6

Version : 9.6.24-0+deb9u12 (stretch)

The fix for CVE-2026-2006 introduced a regression in SUBSTRING() for toasted multibyte characters, as discussed in the upstream bug:

https://www.postgresql.org/message-id/19406-9867fddddd724fca@postgresql.org

Also a number of minor upstream fixes for the patches added in 9.6.24-0+deb9u11 where added:

pg_mblen_range, pg_mblen_with_len: Valgrind after encoding ereport.
Suppress new “may be used uninitialized” warning.
Fix test_valid_server_encoding helper function.
pgcrypto: Tweak error message for incorrect session key length.

ELA-1684-1 nss security update (by )

Fri, 17 Apr 2026 08:57:35 +0200

Package : nss

Version : 3.26.2-1.1+deb9u9 (stretch), 2:3.42.1-1+deb10u10 (buster)

Related CVEs : CVE-2026-2781

Clay Ver Valen discovered an integer overflow in the AES-GCM implementation of the Mozilla Network Security Service libraries.

Debian Contributions: Debusine projects in GSoC, Debian CI updates, Salsa CI maintenance and more! (by Anupa Ann Joseph)

Anupa Ann Joseph — Wed, 15 Apr 2026 00:00:00 +0000

Debian Contributions: 2026-03

Debusine projects in Google’s Summer of Code

While Freexian initiated Debusine, and is investing a lot of resources in the project, we manage it as a true free software project that can and should have a broader community.

We always had documentation for new contributors and we aim to be reactive with them when they interact via the issue tracker or via merge requests. We decided to put those intentions under stress tests by proposing five projects for Google’s Summer of Code as part of Debian’s participation in that program.

Given that at least 11 candidates managed to get their merge request accepted in the last 30 days (interacting with the development team is part of the pre-requisites to apply to Google Summer of Code projects these days), the contributing experience must not be too bad. 🙂 If you want to try it out, we maintain a list of “quick fixes” that are accessible to newcomers. And as always, we welcome your feedback!

Debian CI: incus backend and upgrade to Bootstrap 5, by Antonio Terceiro

debci 3.14 was released on March 4th, with a followup 3.14.1 release with regression fixes a few days afterwards. Those releases were followed by new development and maintenance work that will provide extra capabilities and stability to the platform.

This month saw the initial version of an incus backend land in Debian CI. The transition into the new backend will be done carefully so as to not disrupt ‘testing’ migration. Each package will be running jobs with both the current lxc backend and with incus. Packages that have the same result on both backends will be migrated over, and packages that exhibit different results will be investigated further, resulting in bug reports and/or other communication with the maintainers.

On the frontend side, the code has been ported to Bootstrap 5 over from the now ancient Bootstrap 3. This need has been originally reported back in 2024 based on the lack of security support for Bootstrap 3. Beyond improving maintainability, this upgrade also enables support for dark mode in debci, which is still work in progress.

Both updates mentioned in this section will be available in a following debci release.

Salsa CI maintenance by Santiago Ruano Rincón et al.

Santiago reviewed some Salsa CI issues and reviewed associated merge requests. For example, he investigated a regression (#545), introduced by the move to sbuild, on the use of extra repositories configured as “.source” files; and reviewed the MR (!712) that fixes it.

Also, there were conflicts with changes made in debci 3.14 and debci 3.14.1 (those updates are mentioned above), and different people have contributed to fix the subsequent issues, in a long-term way. This includes Raphaël who proposed MR !707 and who also suggested Antonio to merge the Salsa CI patches to avoid similar errors in the future. This happened shortly after. Those fixes finally required the unrelated MR !709, which will prevent similar problems when building images.

To identify bugs related to the autopkgtest support in the backport suites as early as possible, Santiago proposed MR !708.

Finally, Santiago, in collaboration with Emmanuel Arias also had exchanges with GSoC candidates for the Salsa CI project, including the contributions they have made as merge requests. It is important to note that there are several very good candidates interested in participating. Thanks a lot to them for their work so far!

Miscellaneous contributions

Raphaël reported a zim bug affecting Debian Unstable users, which was already fixed in git apparently. He could thus cherry-pick the fix and update the package in Debian Unstable.
Carles created a new page on the InstallingDebianOn in Debian Wiki.
Carles submitted translation errors in the debian-installer Weblate.
Carles, using po-debconf-manager, improved Catalan translations: reviewed and submitted 3 packages. Also improved error handling when forking or submitting an MR if the fork already existed.
Carles kept improving check-relations: code base related general improvements (added strict typing, enabled pre-commit). Also added DebPorts support, virtual packages support and added commands for reporting missing relations and importing bugs from bugs.debian.org.
Antonio handled miscellaneous Salsa support requests.
Antonio improved the management of MiniDebConf websites by keeping all non-secret settings in git and fixed exporting these sites as static HTML.
Stefano uploaded routine updates to hatchling, python-mitogen, python-virtualenv, python-discovery, dh-python, pypy3, python-pipx, and git-filter-repo.
Faidon uploaded routine updates to crun, libmaxminddb, librdkafka, lowdown, platformdirs, python-discovery, sphinx-argparse-cli, tox, tox-uv.
Stefano and Santiago continued to help with DebConf 26 preparations.
Stefano reviewed some contributions to debian-reimbursements and handled admin for reimbursements.debian.net.
Stefano attended the Debian Technical Committee meeting.
Helmut sent 8 patches for cross build failures.
Building on the work of postmarketOS, Helmut managed to cross build systemd for musl in rebootstrap and sent several patches in the process.
Helmut reviewed several MRs of Johannes Schauer Marin Rodrigues expanding support for DPKG_ROOT to support installing hurd.
Helmut incorporated a final round of feedback for the Multi-Arch documentation in Debian policy, which finally made it into unstable together with documentation of Build-Profiles.
In order to fix python-memray, Helmut NMUed libunwind generally disabling C++ exception support as being an incompatible duplication of the gcc implementation. Unfortunately, that ended up breaking suricata on riscv64. After another NMU, python-memray finally migrated.
Thorsten uploaded new upstream versions of epson-inkjet-printer-escpr and sane-airscan. He also fixed a packaging bug in printer-driver-oki. As of systemd 260.1-1 the configuration of lpadmin has been added to the sysusers.d configuration. All printing packages can now simply depend on the systemd-sysusers package and don’t have to take care of its creation in maintainer scripts anymore.
In collaboration with Emmanuel Arias, Santiago had exchanges with GSoC candidates and reviewed the proposals of the Linux livepatching GSoC 2026 project.
Colin helped to fix CVE-2026-3497 in openssh and CVE-2026-28356 in multipart.
Colin upgraded tango and pytango to new upstream releases and packaged pybind11-stubgen (needed for pytango), thanks to a Freexian customer. Tests of reproducible builds revealed that pybind11-stubgen didn’t generate imports in a stable order; this is now fixed upstream.
Lucas fixed CVE-2025-67733 and CVE-2026-21863 affecting src:valkey in unstable and testing. Also reviewed the same fixes targeting stable proposed by Peter Wienemann.
Faidon worked with upstream and build-dep Debian maintainers on resolving blockers in order to bring pyHanko into Debian, starting with the adoption of python-pyhanko-certvalidator. pyHanko is a suite for signing and stamping PDF files, and one of the few libraries that can be leveraged to sign PDFs with eIDAS Qualified Electronic Signatures.
Anupa co-organized MiniDebConf Kanpur and attended the event with many others from all across India. She handled the accommodation arrangements along with the registration team members, worked on the budget and expenses. She was also a speaker at the event.
Lucas helped with content review/schedule for the MiniDebConf Campinas. Thanks Freexian for being a Gold sponsor!
Lucas organized and took part in a one-day in-person sprint to work on Ruby 3.4 transition. It was held in a coworking space in Brasilia - Brazil on April 6th. There were 5 DDs and they fixed multiple packages FTBFSing against Ruby 3.4 (coming to unstable soon hopefully). Lucas has been postponing a blog post about this sprint since then :-)

ELA-1683-1 gdk-pixbuf security update (by )

Tue, 14 Apr 2026 11:49:58 +0200

Package : gdk-pixbuf

Version : 2.36.5-2+deb9u5 (stretch), 2.38.1+dfsg-1+deb10u3 (buster)

Related CVEs : CVE-2026-5201

It was discovered that gdk-pixbuf, the GDK Pixbuf library, does not properly validate color component counts in the JPEG image loader, which may result in the execution of arbitrary code or denial of service if specially crafted JPEG images are processed.

ELA-1682-1 gst-plugins-bad1.0 security update (by )

Mon, 13 Apr 2026 19:15:49 +0200

Package : gst-plugins-bad1.0

Version : 1.10.4-1+deb9u7 (stretch), 1.14.4-1+deb10u7 (buster)

Related CVEs : CVE-2026-2923 CVE-2026-3082

Multiple multiple vulnerabilities were discovered in plugins for the GStreamer media framework and its codecs and demuxers, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened.

ELA-1681-1 ffmpeg security update (by )

Sun, 12 Apr 2026 21:18:31 -0300

Package : ffmpeg

Version : 7:4.1.11-0+deb10u5 (buster)

Several issues have been found in ffmpeg, a library and tools for transcoding, streaming and playing of multimedia files.

CVE-2023-6603: A flaw was found in FFmpeg’s HLS playlist parsing. This vulnerability allows a denial of service via a maliciously crafted HLS playlist that triggers a null pointer dereference during initialization.
CVE-2023-6605: A flaw was found in FFmpeg’s DASH playlist support. This vulnerability allows arbitrary HTTP GET requests to be made on behalf of the machine running FFmpeg via a crafted DASH playlist containing malicious URLs.
CVE-2025-1594: A vulnerability, which was classified as critical, was found in FFmpeg up to 7.1. This affects the function ff_aac_search_for_tns of the file libavcodec/aacenc_tns.c of the component AAC Encoder. The manipulation leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-7700: A flaw was found in FFmpeg’s ALS audio decoder, where it does not properly check for memory allocation failures. This can cause the application to crash when processing certain malformed audio files. While it does not lead to data theft or system control, it can be used to disrupt services and cause a denial of service.
CVE-2025-9951: A heap-buffer-overflow write exists in jpeg2000dec FFmpeg which allows an attacker to potentially gain remote code execution or cause denial of service via the channel definition cdef atom of JPEG2000.
CVE-2025-10256: A NULL pointer dereference vulnerability exists in FFmpeg’s Firequalizer filter (libavfilter/af_firequalizer.c) due to a missing check on the return value of av_malloc_array() in the config_input() function. An attacker could exploit this by tricking a victim into processing a crafted media file with the Firequalizer filter enabled, causing the application to dereference a NULL pointer and crash, leading to denial of service.
CVE-2025-63757: Integer overflow vulnerability in the yuv2ya16_X_c_template function in libswscale/output.c in FFmpeg 8.0.

ELA-1680-1 clamav new upstream version (by )

Sat, 11 Apr 2026 10:28:40 +0200

Package : clamav

Version : 1.4.3+dfsg-1~deb9u1 (stretch)

The 1.0 version of ClamAV, an anti-virus utility for Unix, had recently been discontinued upstream, and was set to no longer accept signature updates on November 28, 2026. This update brings ClamAV 1.4 to stretch, extending the upstream support.

ELA-1679-1 libyaml-syck-perl security update (by )

Fri, 10 Apr 2026 17:12:50 +0200

Package : libyaml-syck-perl

Version : 1.31-1+deb10u1 (buster), 1.29-1+deb9u1 (stretch)

Related CVEs : CVE-2025-11683 CVE-2026-4177

CVE-2025-11683

Missing null terminators in token.c leads to but-of-bounds read which allows adjacent variable to be read. The issue is seen with complex YAML files with a hash of all keys and empty values.
CVE-2026-4177

Several security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. The heap overflow occurs when class names exceed the initial 512-byte allocation. The base64 decoder could read past the buffer end on trailing newlines. strtok mutated n->type_id in place, corrupting shared node data. A memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return.

ELA-1678-1 bind9 security update (by )

Thu, 09 Apr 2026 23:01:17 +0200

Package : bind9

Version : 1:9.11.37+git20260204.fcafb2d+dfsg-0~deb10u1 (buster)

Related CVEs : CVE-2025-40778

bind9 a popular name server was affected by a vulnerability.

Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache (cache poisoning).

Security fixes needed to update isc-dhcp and bind-dyndb-ldap packages.

ELA-1676-1 postgresql-11 security update (by )

Wed, 08 Apr 2026 20:00:43 +0200

Package : postgresql-11

Version : 11.22-0+deb10u7 (buster)

Multiple vulnerabilities were fixed in PostgreSQL, a popular database.

CVE-2026-2003: Improper validation of type “oidvector” in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely.
CVE-2026-2004: Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database.
CVE-2026-2005: Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database.
CVE-2026-2006: Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database.

ELA-1677-1 postgresql-9.6 security update (by )

Wed, 08 Apr 2026 19:59:09 +0200

Package : postgresql-9.6

Version : 9.6.24-0+deb9u11 (stretch)

Multiple vulnerabilities were fixed in PostgreSQL, a popular database.

CVE-2026-2003: Improper validation of type “oidvector” in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely.
CVE-2026-2004: Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database.
CVE-2026-2005: Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database.
CVE-2026-2006: Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database.

ELA-1675-1 libxml-parser-perl security update (by )

Sat, 04 Apr 2026 09:16:58 +0200

Package : libxml-parser-perl

Version : 2.44-2+deb9u1 (stretch), 2.44-4+deb10u1 (buster)

Related CVEs : CVE-2006-10002 CVE-2006-10003

CVE-2006-10002: Buffer overwrite in parse_stream(), which may lead to denial of service when the filehandle has an :utf8 layer.
CVE-2006-10003: Off-by-one heap buffer overflow in st_serial_stack(), which can be observed when parsing an XML file with very deep element nesting.

ELA-1674-1 libpng1.6 security update (by )

Fri, 03 Apr 2026 11:14:46 +0200

Package : libpng1.6

Version : 1.6.28-1+deb9u4 (stretch)

Related CVEs : CVE-2026-33416

A security vulnerabilities has been discovered in libpng, a library implementing an interface for reading and writing PNG (Portable Network Graphics) files, which could result potentially the execution of arbitrary code.

CVE-2026-33416

Use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`, potentially allowing arbitrary code execution

ELA-1673-1 libpng1.6 security update (by )

Fri, 03 Apr 2026 11:12:21 +0200

Package : libpng1.6

Version : 1.6.36-6+deb10u3 (buster)

Related CVEs : CVE-2026-33416 CVE-2026-33636

Two security vulnerabilities were discovered in libpng, a library implementing an interface for reading and writing PNG (Portable Network Graphics) files, which could result in denial of service or potentially the execution of arbitrary code.

CVE-2026-33416

Use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`, potentially allowing arbitrary code execution

CVE-2026-33636

Out-of-bounds read/write in the palette expansion on ARM Neon, potentially causing a crash (DoS)

ELA-1672-1 python-tornado security update (by )

Wed, 01 Apr 2026 12:12:29 +0200

Package : python-tornado

Version : 4.4.3-1+deb9u3 (stretch), 5.1.1-4+deb10u4 (buster)

Related CVEs : CVE-2026-31958 CVE-2026-35536

Multiple vulnerabilities were discovered in python-tornado, a scalable, non-blocking Python web framework and asynchronous networking library.

CVE-2026-31958

Introduce new limits on the size and complexity of multipart bodies,
including a default limit of 100 parts per request to mitigate a possible
DoS. It is also possible to disable parsing multipart/form-data entirely
if not required

CVE-2026-35536

Values passed to the domain, path, and samesite arguments of
RequestHandler.set_cookie are not completely validated. In particular,
semicolons are allowed, which could be used to inject attacker-controlled
values for other cookie attributes.

ELA-1671-1 phpseclib security update (by )

Mon, 30 Mar 2026 20:52:15 +0530

Package : phpseclib

Version : 1.0.19-3~deb10u4 (buster)

Related CVEs : CVE-2023-52892 CVE-2026-32935

Two vulnerabilities were discovered in phpseclib, a PHP Secure Communications Library.

CVE-2023-52892

Some characters in Subject Alternative Name fields in TLS
certificates were incorrectly allowed to have a special meaning
in regular expressions, leading to name confusion in X.509
certificate host verification.

CVE-2026-32935

The AES-CBC implementation was susceptible to a padding oracle
timing attack due to the use of a short-circuiting logical
operator in the unpadding function.

ELA-1670-1 gst-plugins-ugly1.0 security update (by )

Mon, 30 Mar 2026 02:17:24 +0530

Package : gst-plugins-ugly1.0

Version : 1.10.4-1+deb9u3 (stretch), 1.14.4-1+deb10u3 (buster)

Related CVEs : CVE-2026-2920 CVE-2026-2922

Two vulnerabilities were discovered in gst-plugins-ugly1.0, a set of GStreamer plugins from the “ugly” set.

CVE-2026-2920

The ASF demuxer did not validate the number of streams against
the size of its static streams array. A crafted ASF file with
more than 32 streams could cause a heap-based buffer overflow
and potentially allow code execution.

CVE-2026-2922

The RealMedia demuxer checked for too many video fragments after
writing to the fragment storage, allowing an out-of-bounds write.
Additionally, an integer overflow in the fragment size check could
bypass the available data validation.

ELA-1669-1 gst-plugins-base1.0 security update (by )

Sun, 29 Mar 2026 16:35:54 +0530

Package : gst-plugins-base1.0

Version : 1.10.4-1+deb9u7 (stretch), 1.14.4-2+deb10u6 (buster)

Related CVEs : CVE-2026-2921

An integer overflow was discovered in the RIFF parser of the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened.

ELA-1668-1 gvfs security update (by )

Sat, 28 Mar 2026 19:17:12 +0100

Package : gvfs

Version : 1.30.4-1+deb9u1 (stretch)

Multiple vulnerabilities have been identified in gvfs, the GNOME virtual filesystem layer responsible for providing user-space access to local and remote filesystems via various backends (e.g. ftp://, admin://, etc.)

Codean Labs found that gvfs ftp:// backend had vulnerabilities including ftp bounce attack that could expose which ports where open on the clients internal network and improper CRLF validation which could allow an attacker to inject arbitrary FTP commands.

The admin:// backend was found to have multiple issues including incorrect permission check that allows reading and modify arbitrary files by privileged users without asking for password when no authentication agent is running, mishandles file ownership because setfsuid is not used, race conditions because the admin backend doesn’t implement query_info_on_read/write, mishandles a file’s user and group ownership during move and copy operations from admin:// to file:// URIs because root privileges are unavailable.

The gvfs daemon opened a private D-Bus server socket without configuring an authorization rule. This could allow a local attacker to connect and issue D-Bus method calls.

ELA-1667-1 gvfs security update (by )

Sat, 28 Mar 2026 19:16:21 +0100

Package : gvfs

Version : 1.38.1-5+deb10u1 (buster)

Related CVEs : CVE-2026-28295 CVE-2026-28296

Codean Labs found that gvfs, a virtual filesystem implementation, was affected by multiple vulnerabililies including FTP bounce attack which could lead to probing open ports on client network and improper CRLF validation which could allow an attacker to inject arbitrary FTP commands.

ELA-1666-1 libvpx security update (by )

Fri, 27 Mar 2026 19:31:29 +0100

Package : libvpx

Version : 1.6.1-3+deb9u8 (stretch), 1.7.0-3+deb10u5 (buster)

Related CVEs : CVE-2026-2447

A buffer overflow was discovered in libvpx, a library implementing the VP8/VP9 open video codecs, which could result in denial of service or potentially the execution of arbitrary code.

ELA-1665-1 strongswan security update (by )

Fri, 27 Mar 2026 19:29:00 +0100

Package : strongswan

Version : 5.7.2-1+deb10u6 (buster)

Related CVEs : CVE-2026-25075

Kazuma Matsumoto discovered an integer overflow bug in the EAP-TTLS plugin of strongSwan, an IKE/IPsec suite.

The EAP-TTLS plugin doesn’t check the length field in the header of attribute-value pairs (AVPs) tunneled in EAP-TTLS, which can cause an integer underflow that may lead to a crash. An unauthenticated attacker could exploit this for a DoS attack by sending a crafted message.

ELA-1663-1 linux-6.1 security update (by )

Wed, 25 Mar 2026 18:09:14 -0300

Package : linux-6.1

Version : 6.1.164+1~deb9u1 (stretch), 6.1.164+1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that could lead to privilege escalation, denial of service, or information disclosure.

Many apparmor related issues were fixed. This update also fixes a regression that caused GRE6 tunnels to stop working due to a decapsulation failure (Debian bug #1127597).

ELA-1664-1 linux-5.10 security update (by )

Wed, 25 Mar 2026 18:08:13 -0300

Package : linux-5.10

Version : 5.10.251-1~deb9u1 (stretch), 5.10.251-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that could lead to privilege escalation, denial of service, or information disclosure.

Many apparmor related issues were fixed. This update also fixes a regression that caused GRE6 tunnels to stop working due to a decapsulation failure (Debian bug #1127597).

ELA-1662-1 awstats security update (by )

Wed, 25 Mar 2026 12:13:31 -0700

Package : awstats

Version : 7.6+dfsg-2+deb10u4 (buster)

Related CVEs : CVE-2025-63261

It was discovered that there was a potential command injection vulnerability in awstats, an analytics tool for web servers and similar services.

ELA-1661-1 mapserver security update (by )

Mon, 23 Mar 2026 13:46:12 +0100

Package : mapserver

Version : 7.0.4-2+deb9u1 (stretch), 7.2.2-1+deb10u1 (buster)

Related CVEs : CVE-2021-32062 CVE-2025-59431

Vulnerabilities were found in mapserver, a CGI-based framework for Internet map services, which could lead to security controls bypass or SQL injection.

CVE-2021-32062: Due to a logic flaw associated with processing map parameter, it is possible to specify an arbitrary mapfile that bypasses the MS_MAP_NO_PATH and MS_MAP_PATTERN security control checks.
CVE-2025-59431: Alwin Warringa discovered that XML Filter Query directive PropertyName is vulnerably to Boolean-based SQL injection, allowing to manipulate backend database queries via crafted XML Filter Query directives.

In addition, this update fixes memory and heap-buffer-overflow issues in the lexer.

ELA-1660-1 evolution-data-server security update (by )

Sun, 22 Mar 2026 19:42:39 +0100

Package : evolution-data-server

Version : 3.22.7-1+deb9u3 (stretch), 3.30.5-1+deb10u3 (buster)

Related CVEs : CVE-2026-2604

An issue has been found in evolution-data-server, an evolution database backend server. A Flatpak application with D-Bus access to the addressbook service can delete arbitrary files on the host, potentially including Flatpak override files. This fix canonicalizes the file path before performing a prefix comparison, ensuring that ../ sequences are resolved.

ELA-1659-1 imagemagick security update (by )

Sat, 21 Mar 2026 00:29:59 +0100

Package : imagemagick

Version : 8:6.9.7.4+dfsg-11+deb9u26 (stretch)

Multiple security vulnerabilities were discovered in imagemagick, a software suite used for editing and manipulating digital images, which could lead to information leaks, bypass of security policies, denial of service or arbitrary code execution.

ELA-1658-1 openssl security update (by )

Thu, 19 Mar 2026 11:59:09 +0100

Package : openssl

Version : 1.1.0l-1~deb9u12 (stretch), 1.1.1n-0+deb10u9 (buster)

Aisle Research found multiple vulnerabilites in OpenSSL, a Secure Socket Layer toolkit providing the SSL and TLS cryptographic protocols for secure communication over the Internet.

CVE-2025-68160

Petr Simecek (Aisle Research) and Stanislav Fort (Aisle Research) found
writing large, newline-free data into a BIO chain using the line-buffering
filter where the next BIO performs short writes can trigger a heap-based
out-of-bounds write. This out-of-bounds write can cause memory corruption
which typically results in a crash, leading to Denial of Service for an
application.

CVE-2025-69418

Stanislav Fort (Aisle Research) found using the low-level OCB API directly
with AES-NI or other hardware-accelerated code paths, inputs whose length
is not a multiple of 16 bytes can leave the final partial block unencrypted
and unauthenticated. The trailing 1-15 bytes of a message may be exposed in
cleartext on encryption and are not covered by the authentication tag,
allowing an attacker to read or tamper with those bytes without detection.

CVE-2025-69419

Stanislav Fort (Aisle Research) found a maliciously crafted PKCS#12 file
with a BMPString (UTF-16BE) can lead to out-of-bounds write causing a
memory corruption which can have various consequences including a Denial of
Service.

CVE-2025-69420

Luigino Camastra (Aisle Research) found a type confusion vulnerability
exists in the TimeStamp Response verification code, leading to an invalid
or NULL pointer dereference when processing a malformed TimeStamp Response
file. The result is a possible Denial of Service.

CVE-2025-69421

Luigino Camastra (Aisle Research) found out processing a malformed PKCS#12
file can trigger a NULL pointer dereference in the
PKCS12_item_decrypt_d2i_ex() function that can trigger a crash which leads
to Denial of Service for an application processing PKCS#12 files.

CVE-2026-22795

Luigino Camastra (Aisle Research) found that an application processing a
malformed PKCS#12 file can be caused to dereference an invalid or NULL
pointer on memory read, resulting in a Denial of Service.

CVE-2026-22796

Luigino Camastra (Aisle Research) found that an application performing
signature verification of PKCS#7 data or calling directly the
PKCS7_digest_from_attributes() function can be caused to dereference an
invalid or NULL pointer when reading, resulting in a Denial of Service.

More details are available in: https://openssl-library.org/news/secadv/20260127.txt

ELA-1657-1 imagemagick security update (by )

Mon, 16 Mar 2026 21:38:11 +0100

Package : imagemagick

Version : 8:6.9.10.23+dfsg-2.1+deb10u15 (buster)

Monthly report about Debian Long Term Support, February 2026 (by Thorsten Alteholz)

Thorsten Alteholz — Mon, 16 Mar 2026 00:00:00 +0000

The Debian LTS Team, funded by [Freexian’s Debian LTS offering] (https://www.freexian.com/lts/debian/), is pleased to report its activities for February.

Activity summary

During the month of February, 20 contributors have been paid to work on Debian LTS (links to individual contributor reports are located below).

The team released 35 DLAs fixing 527 CVEs.

We also welcomed Arnaud Rebillout to the team and had to say farewell to Roberto, who left the team after more than nine years as part of it.

Notable security updates:

Guilhem Moulin prepared DLA 4492-1 for gnutls28 to fix vulnerabilities which may lead to Denial of Service.
Utkarsh Gupta prepared DLA 4464-1 for xrdp, to fix a a vulnerability that could allow remote attackers to execute arbitrary code on the target system.
Emilio Pozuelo Monfort prepared DLA-4465-1 to replace ClamAV 1.0 with ClamAV 1.4. This latter is the current LTS version supported by upstream.
Markus Koschany prepared DLA 4468-1 for tomcat9, to fix a vulnerability that can be used to bypass security constraints.
Santiago Ruano Rincón prepared DLA 4471-1 to update package debian-security-support, the Debian security coverage checker.
Bastien Roucariès prepared DLA 4473-1 for zabbix, to fix a potential remote code execution vulnerability.
Paride Legovini prepared DLA 4478-1 for tcpflow, to fix a vulnerability that might result in DoS and potentially code execution.
Thorsten Alteholz prepared DLA 4477-1 for munge, to fix a vulnerability which may allow local users to leak the MUNGE cryptographic key and forge arbitrary credentials.
Ben Hutchings prepared DLA 4475-1 and DLA 4476-1 for Linux kernel updates.
Chris Lamb prepared DLA 4482-1 for ceph, to fix SSL certificate checking in the Python bindings.
Andreas Henriksson prepared DLA 4491-1 to fix vulnerabilities in glib2.0, which could result in denial of service, memory corruption or potentially arbitrary code execution.

Contributions from outside the LTS Team:

The update of nova was prepared by the maintainer, Thomas Goirand. The corresponding DLA 4486-1 was published by Carlos Henrique Lima Melara.
The updates of thunderbird were prepared by the maintainer Christoph Goehre. The corresponding DLA 4466-1 and DLA 4495-1 was published by Emilio Pozuelo Monfort.

The LTS Team has also contributed with updates to the latest Debian releases:

Jochen prepared a point update of wireshark for bookworm (#1127945).
Jochen prepared point updates of erlang for trixie (#1127606) and bookworm (#1127607).
Bastien helped preparing DSA 6160-1 for netty and uploaded a fixed package to unstable.
Bastien prepared a point update of zabbix for trixie (#1127437).
Tobias prepared a point update of modsecurity-crs for bookworm (#1128655).
Tobias prepared a point update of busybox for bookworm (#1129503).
Tobias helped preparing DSA 6138-1 for libpng1.6.
Daniel prepared point updates of python-authlib for trixie (#1129477) and bookworm (#1129246).
Ben uploaded several Linux kernel packages to trixie-backports and bookworm-backports.
Ben prepared point updates of wireless-regdb for trixie and bookworm.

Other than the work related to updates, Sylvain made several improvements to the documentation and tooling used by the team.

Individual Debian LTS contributor reports

Thanks to our sponsors

Sponsors that joined recently are in bold.

Platinum sponsors:
- Toshiba Corporation (for 125 months)
- Civil Infrastructure Platform (CIP) (for 93 months)
- VyOS Inc (for 57 months)
Gold sponsors:
- F. Hoffmann-La Roche AG (for 135 months)
- CONET Deutschland GmbH (for 119 months)
- Plat’Home (for 118 months)
- University of Oxford (for 75 months)
- EDF SA (for 47 months)
- Dataport AöR (for 22 months)
- CERN (for 20 months)
Silver sponsors:
- Domeneshop AS (for 140 months)
- Nantes Métropole (for 134 months)
- Akamai - Linode (for 129 months)
- Univention GmbH (for 126 months)
- Université Jean Monnet de St Etienne (for 126 months)
- Ribbon Communications, Inc. (for 120 months)
- Exonet B.V. (for 110 months)
- Leibniz Rechenzentrum (for 104 months)
- Ministère de l’Europe et des Affaires Étrangères (for 88 months)
- Dinahosting SL (for 75 months)
- Upsun Formerly Platform.sh (for 69 months)
- Moxa Inc. (for 63 months)
- Deveryware (for 62 months)
- sipgate GmbH (for 61 months)
- OVH US LLC (for 59 months)
- Tilburg University (for 59 months)
- GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 50 months)
- THINline s.r.o. (for 23 months)
- Copenhagen Airports A/S (for 17 months)
- Conseil Départemental de l’Isère (for 3 months)
Bronze sponsors:
- Evolix (for 140 months)
- Seznam.cz, a.s. (for 140 months)
- Intevation GmbH (for 137 months)
- Linuxhotel GmbH (for 137 months)
- Daevel SARL (for 136 months)
- Megaspace Internet Services GmbH (for 135 months)
- Greenbone AG (for 134 months)
- NUMLOG (for 134 months)
- WinGo AG (for 133 months)
- Entr’ouvert (for 125 months)
- Adfinis AG (for 122 months)
- Laboratoire LEGI - UMR 5519 / CNRS (for 117 months)
- Tesorion (for 117 months)
- Bearstech (for 108 months)
- LiHAS (for 108 months)
- Catalyst IT Ltd (for 103 months)
- Demarcq SAS (for 97 months)
- Université Grenoble Alpes (for 83 months)
- TouchWeb SAS (for 75 months)
- SPiN AG (for 72 months)
- CoreFiling (for 68 months)
- Observatoire des Sciences de l’Univers de Grenoble (for 59 months)
- Tem Innovations GmbH (for 54 months)
- WordFinder.pro (for 53 months)
- CNRS DT INSU Résif (for 52 months)
- Soliton Systems K.K. (for 47 months)
- Alter Way (for 45 months)
- Institut Camille Jordan (for 35 months)
- SOBIS Software GmbH (for 20 months)
- Tuxera Inc. (for 11 months)
- OPM-OP AS (for 3 months)

Regression Tracking in Debusine (by Stefano Rivera)

Stefano Rivera — Mon, 16 Mar 2026 00:00:00 +0000

Regression Tracking

Debusine is a tool designed for Debian developers and Operating System developers in general. Debusine can run QA pipelines to check that Debian packages are ready to upload. This blog post describes the regression tracking mechanism that’s recently become available in Debusine QA pipelines.

The debian_pipeline workflow in Debusine can build, test, and upload a package to the Debian archive (or any other repository, such as a native Debusine APT repository). The QA tests involve running the standard Debian QA utilities (lintian, autopkgtest, piuparts, blhc) on the built artifacts. In addition we can run the autopkgtests of every other package in the archive that depends on the built package, like britney does for testing migration in Debian. Some of these other packages may have currently-failing autopkgtests that have nothing to do with the changes in the upload under test.

For example:

Figuring out which of these failures are new (and thus worth investigating) has been a manual process in Debusine until now. We have just completed the basic functionality of the regression_tracking=true feature, and have enabled it in the upload-to-* workflows on debusine.debian.net.

With this enabled, you’ll get a new QA tab on your debian_pipeline workflows that shows the trend of each test:

This is determined by looking at recent task history for each task in the debian:qa-results collection. If there is no recent result for a given <package, version, architecture>, then tasks are queued under the “reference tests” qa workflow tree on the pipeline.

These reference tests are run by using the same tasks as the main qa workflow, but without the addition of the package under test. In fact, it uses the same qa workflow that we use to check the package, but with a few different parameters to populate the regression tracking results collection.

The debian:qa-results collection used for analyzing regressions is specified to the debian_pipeline with the regression_tracking_qa_results lookup parameter. On debusine.debian.net we have configured a debian:qa-results collection for sid that can be referenced and added to by tasks in any workspace.

Regressions can be more subtle than a simple Success → Failure. If the number of autopkgtests that fail increases, or the number of lintian tags emitted increases, those are also considered a regressions.

Using regression tracking now

It’s enabled by default on most of the upload-to-* workflows on debusine.debian.net. To disable, pass -O debusine_workflow_data.enable_regression_tracking=false when you dput an upload to debusine.

To use the regression-tracking in your own workflows, use a debian_pipeline workflow that is configured with enable_regression_tracking=true. This will require a qa_suite to be specified, pointing to the baseline suite.

We hope this will make it easier to check QA results for packages tested on debusine.debian.net.

ELA-1656-1 gimp security update (by )

Sat, 14 Mar 2026 18:38:32 +0100

Package : gimp

Version : 2.8.18-1+deb9u9 (stretch), 2.10.8-2+deb10u8 (buster)

Debian Contributions: Opening DebConf 26 Registration, Debian CI improvements and more! (by Anupa Ann Joseph)

Anupa Ann Joseph — Tue, 10 Mar 2026 00:00:00 +0000

Debian Contributions: 2026-02

DebConf 26 Registration, by Stefano Rivera, Antonio Terceiro, and Santiago Ruano Rincón

DebConf 26, to be held in Santa Fe Argentina in July, has opened for registration and event proposals. Stefano, Antonio, and Santiago all contributed to making this happen.

As always, some changes needed to be made to the registration system. Bigger changes were planned, but we ran out of time to implement them for DebConf 26. All 3 of us have had experience in hosting local DebConf events in the past and have been advising the DebConf 26 local team.

Debian CI improvements, by Antonio Terceiro

Debian CI is the platform responsible for automated testing of packages from the Debian archive, and its results are used by the Debian Release team automation as Quality Assurance to control the migration of packages from Debian unstable into testing, the base for the next Debian release. Antonio started developing an incus backend, and that prompted two rounds of improvements to the platform, including but not limited to allowing user to select a job execution backend (lxc, qemu) during the job submission, reducing the part of testbed image creation that requires superuser privileges and other refactorings and bug fixes. The platform API was also improved to reduce disruption when reporting results to the Release Team automation after service downtimes. Last, but not least, the platform now has support for testing packages against variants of autopkgtest, which will allow the Debian CI team to test new versions of autopkgtest before making releases to avoid widespread regressions.

Miscellaneous contributions

Carles improved po-debconf-manager while users requested features / found bugs. Improvements done - add packages from “unstable” instead of just salsa.debian.org, upgrade and merge templates of upgraded packages, finished adding typing annotations, improved deleting packages: support multiple line texts, add –debug to see “subprocess.run” commands, etc.
Carles, using po-debconf-manager, reviewed 7 Catalan translations and sent bug reports or MRs for 11 packages. Also reviewed the translations of fortunes-debian-hints and submitted possible changes in the hints.
Carles submitted MRs for reportbug (reportbug --ui gtk detecting the wrong dependencies), devscript (delete unused code from debrebuild and add recommended dependency), wcurl (format –help for 80 columns). Carles submitted a bug report for apt not showing the long descriptions of packages.
Carles resumed effort for checking relations (e.g. Recommends / Suggests) between Debian packages. A new codebase (still in early stages) was started with a new approach in order to detect, report and track the broken relations.
Emilio drove several transitions, most notably the haskell transition and the glibc/gcc-15/zlib transition for the s390 31-bit removal. This last one included reviewing and requeueing lots of autopkgtests due to britney losing a lot of results.
Emilio reviewed and uploaded poppler updates to experimental for a new transition.
Emilio reviewed, merged and deployed some performance improvements proposed for the security-tracker.
Stefano prepared routine updates for pycparser, python-confuse, python-cffi, python-mitogen, python-pip, wheel, platformdirs, python-authlib, and python-virtualenv.
Stefano updated Python 3.13 and 3.14 to the latest point releases, including security updates, and did some preliminary work for Python 3.15.
Stefano reviewed changes to dh-python and merged MRs.
Stefano did some debian.social sysadmin work, bridging additional IRC channels to Matrix.
Stefano and Antonio, as DebConf Committee Members, reviewed the DebConf 27 bids and took part in selecting the Japanese bid to host DebConf 27.
Helmut sent patches for 29 cross build failures.
Helmut continued to maintain rebootstrap addressing issues relating to specific architectures (such as musl-linux-any, hurd-any or s390x) or specific packages (such as binutils, brotli or fontconfig).
Helmut worked on diagnosing bugs such as rocblas #1126608, python-memray #1126944 upstream and greetd #1129070 with varying success.
Antonio provided support for multiple MiniDebConfs whose websites run wafer + wafer-debconf (the same stack as DebConf itself).
Antonio fixed the salsa tagpending webhook.
Antonio sent specinfra upstream a patch to fix detection of Debian systems in some situations.
Santiago reviewed some Merge Requests for the Salsa CI pipeline, including !703 and !704, that aim to improve how the build source job is handled by Salsa CI. Thanks a lot to Jochen for his work on this.
In collaboration with Emmanuel Arias, Santiago proposed a couple of projects for the Google Summer of Code (GSoC) 2026 round. Santiago has been reviewing applications and giving feedback to candidates.
Thorsten uploaded new upstream versions of ipp-usb, brlaser and gutenprint.
Raphaël updated publican to fix an old bug that became release critical and that happened only when building with the nocheck profile. Publican is a build dependency of the Debian’s Administrator Handbook and with that fix, the package is back into testing.
Raphaël implemented a small feature in Debusine that makes it possible to refer to a collection in a parent workspace even if a collection with the same name is present in the current workspace.
Lucas updated the current status of ruby packages affecting the Ruby 3.4 transition after a bunch of updates made by team members. He will follow up on this next month.
Lucas joined the Debian orga team for GSoC this year and tried to reach out to potential mentors.
Lucas did some content work for MiniDebConf Campinas - Brazil.
Colin published minor security updates to “bookworm” and “trixie” for CVE-2025-61984 and CVE-2025-61985 in OpenSSH, both of which allowed code execution via ProxyCommand in some cases. The “trixie” update also included a fix for mishandling of PerSourceMaxStartups.
Colin spotted and fixed a typo in the bug tracking system’s spam-handling rules, which in combination with a devscripts regression caused bts forwarded commands to be discarded.
Colin ported 12 more Python packages away from using the deprecated (and now removed upstream) pkg_resources module.
Anupa is co-organizing MiniDebConf Kanpur with Debian India team. Anupa was responsible for preparing the schedule, publishing it on the website, co-ordination with the fiscal host in addition to attending meetings.
Anupa attended the Debian Publicity team online sprint which was a skill sharing session.

ELA-1655-1 openjdk-8 security update (by )

Thu, 05 Mar 2026 11:00:36 +0100

Package : openjdk-8

Version : 8u482-ga-1~deb9u1 (stretch)

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in incorrect certificate validation, CRLF injection or man-in-the-middle attacks.

ELA-1654-1 python-tornado security update (by )

Sun, 01 Mar 2026 00:50:33 +0100

Package : python-tornado

Version : 4.4.3-1+deb9u2 (stretch)

Multiple vulnerabilities were discovered in python-tornado, a scalable, non-blocking Python web framework and asynchronous networking library.

CVE-2025-47287

When Tornado's 'multipart/form-data' parser encounters certain errors,
it logs a warning but continues trying to parse the remainder of the
data. This allows remote attackers to generate an extremely high volume
of logs, constituting a DoS attack. This DoS is compounded by the fact
that the logging subsystem is synchronous.

CVE-2025-67724

Custom reason phrases can cause multiple vulnerabilities (like XSS,
header injection, ...) due to being used unescaped in HTTP headers.

CVE-2025-67725

A single maliciously crafted HTTP request can cause a possible DoS
due to quadratic performance of repeated header lines.

CVE-2025-67726

An inefficient algorithm when parsing parameters for HTTP header
values can potentially cause a DoS.

ELA-1652-1 glib2.0 security update (by )

Sat, 28 Feb 2026 08:10:20 +0000

Package : glib2.0

Version : 2.50.3-2+deb9u9 (stretch), 2.58.3-2+deb10u10 (buster)

Multiple issues were found in GLib, a general-purpose, portable utility library, that could lead to denial of service, memory corruption or potentially arbitrary code execution if maliciously crafted data is processed.

CVE-2026-0988: Codean Labs found missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).
CVE-2026-1484: treeplus, with additional thanks to Sovereign Tech Resilience program of the Sovereign Tech Agency, found a flaw in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.
CVE-2026-1485: treeplus, with additonal thanks to Sovereign Tech Resilience program of the Sovereign Tech Agency, found a flaw in Glib’s content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.
CVE-2026-1489: treeplus, with additional thanks to Sovereign Tech Resilience program of the Sovereign Tech Agency, found a flaw in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.

ELA-1653-1 gnutls28 security update (by )

Fri, 27 Feb 2026 08:36:51 +0100

Package : gnutls28

Version : 3.5.8-5+deb9u10 (stretch), 3.6.7-4+deb10u15 (buster)

Related CVEs : CVE-2025-9820 CVE-2025-14831

Vulnerabilities were found in GnuTLS, a portable library which implements the Transport Layer Security and Datagram Transport Layer Security protocols, which may lead to Denial of Service.

CVE-2025-9820: An out-of-bound write issue was discovered when a PKCS#11 token is initialized with the gnutls_pkcs11_token_init() function and it is passed a token label longer than 32 characters.
CVE-2025-14831: Tim Scheckenbach discovered that verifying specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs) could lead to resource exhaustion.

ELA-1651-1 modsecurity-crs security update (by )

Sun, 22 Feb 2026 11:14:08 +0100

Package : modsecurity-crs

Version : 3.2.3-0+deb10u4 (buster)

Related CVEs : CVE-2023-38199

A issue has been fixed in modsecurity-crs, a set of generic attack detection rules for use with ModSecurity.

CVE-2023-38199

Coreruleset (aka OWASP ModSecurity Core Rule Set) through 3.3.4 does not detect multiple Content-Type request headers on some platforms. This might allow attackers to bypass a WAF with a crafted payload, aka “Content-Type confusion” between the WAF and the backend application. This occurs when the web application relies on only the last Content-Type header. Other platforms may reject the additional Content-Type header or merge conflicting headers, leading to detection as a malformed header.

ELA-1650-1 gegl security update (by )

Sat, 21 Feb 2026 18:55:06 +0100

Package : gegl

Version : 0.3.8-4+deb9u2 (stretch), 0.4.12-2+deb10u2 (buster)

Related CVEs : CVE-2026-2049 CVE-2026-2050

A heap-based buffer overflow was discovered in the RGBE/HDR parser of GEGL, a graph-based image processing library, which could result in denial of service or the execution of arbitrary code if malformed files are processed.

ELA-1649-1 gimp security update (by )

Fri, 20 Feb 2026 18:40:37 +0100

Package : gimp

Version : 2.8.18-1+deb9u8 (stretch), 2.10.8-2+deb10u7 (buster)

Related CVEs : CVE-2026-2239 CVE-2026-2271 CVE-2026-2272

ELA-1648-1 python-django security update (by )

Thu, 19 Feb 2026 11:48:22 -0800

Package : python-django

Version : 1:1.10.7-2+deb9u30 (stretch), 1:1.11.29-1+deb10u19 (buster)

It was discovered that there were multiple vulnerabilities in Django, the Python-based web-development framework:

CVE-2025-13473: The check_password function in django.contrib.auth.handlers.modwsgi for authentication via mod_wsgi allowed remote attackers to enumerate users via a timing attack.
CVE-2026-1207: Raster lookups on RasterField (only implemented on PostGIS) allowed remote attackers to inject SQL via the band index parameter.
CVE-2026-1285: The django.utils.text.Truncator.chars() and Truncator.words() methods (with html=True) and the truncatechars_html and truncatewords_html template filters allowed a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags.
CVE-2026-1287: FilteredRelation was subject to SQL injection in column aliases via control characters using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet methods annotate(), aggregate(), extra(), values(), values_list() and alias().
CVE-2026-1312: QuerySet.order_by() was subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in FilteredRelation.

In addition, The fix for CVE-2025-6069 in the python3.9 source package which modified the html.parser.HTMLParser class in such a way that changed the behaviour of Django’s strip_tags() method in some edge cases that were tested by Django’s testsuite. As a result of this regression, we have updated the testsuite for the new expected results.

ELA-1647-1 libpng1.6 security update (by )

Tue, 17 Feb 2026 19:34:36 +0100

Package : libpng1.6

Version : 1.6.28-1+deb9u3 (stretch), 1.6.36-6+deb10u2 (buster)

Multiple vulnerabilties have been found in libpng, the official PNG reference library, potentially allowing information disclosure via out-of-bounds read or denial of service via infinite loop.

CVE-2026-22695

There is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018.

CVE-2026-22801

There is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems.

CVE-2026-25646

A out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and  the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification.

Monthly report about Debian Long Term Support, January 2026 (by Santiago Ruano Rincón)

Santiago Ruano Rincón — Tue, 17 Feb 2026 00:00:00 +0000

The Debian LTS Team, funded by Freexian’s Debian LTS offering, is pleased to report its activities for January.

Activity summary

During the month of January, 20 contributors have been paid to work on Debian LTS (links to individual contributor reports are located below).

The team released 33 DLAs fixing 216 CVEs.

Notable security updates:

python3.9, prepared by Andrej Shadura (DLA-4455-1), fixing multiple vulnerabilities in the Python interpreter.
php, prepared by Guilhem Moulin (DLA-4447-1), fixing two vulnerabilities that could yield to request forgery or denial of service.
apache2, prepared by Bastien Roucariès DLA-4452-1, fixing four CVEs.
linux-6.1, prepared by Ben Hutchings (DLA-4436-1), as a regular update of the linux 6.1 backport to Debian 11.
python-django, prepared by Chris Lamb (DLA-4458-1), resolving multiple vulnerabilities.
firefox-esr prepared by Emilio Pozuelo Monfort (DLA-4439-1)
gnupg2, prepared by Roberto Sánchez (DLA-4437-1), fixing multiple issues, including CVE-2025-68973 that could potentially be exploited to execute arbitrary code.
apache-log4j2, prepared by Markus Koschany (DLA-4444-1)
ceph, prepared by Utkarsh Gupta (DLA-4460-1)
inetutils, prepared by Andreas Henriksson (DLA-4453-1), fixing an authentication bypass in telnetd.

Moreover, Sylvain Beucler studied the security support status of p7zip, a fork of 7zip that has become unmaintained upstream. To avoid letting the users continue using an unsupported package, Sylvain has investigated a path forward in collaboration with the security team and the 7zip maintainer, looking to replace p7zip with 7zip. It is to note however that 7zip developers don’t reveal the information about the patches that fix CVEs, making it difficult to backport single patches to fix vulnerabilities in Debian released versions.

Contributions from outside the LTS Team:

Thunderbird, prepared by maintainer Christoph Goehre. The DLA (DLA-4442-1) was published by Emilio.

The LTS Team has also contributed with updates to the latest Debian releases:

Bastien uploaded gpsd to unstable, and proposed updates for trixie #1126121 and bookworm #1126168 to fix two CVEs.
Bastien also prepared the imagemagick updates for trixie and bookworm, released as DSA-6111-1, along with the bullseye update DLA-4448-1.
Chris proposed a trixie point update for python-django (#112646), and the work for bookworm was completed in February (#1079454). The longstanding bookworm update required tracking down a regression in the django-storages packages.
Markus prepared tomcat10 updates for trixie and bookworm (DSA-6120-1), and tomcat11 for trixie (DSA-6121-1)
Thorsten Alteholz prepared bookworm point updates for zvbi (#1126167) to fix five CVEs; taglib (#1126273) to fix one CVE; and libuev (#1126370) to fix one CVE.
Utkarsh prepared an unstable update of node-lodash to fix one CVE.

Other than the work related to updates, Sylvain made several improvements to the documentation and tooling used by the team.

Individual Debian LTS contributor reports

Thanks to our sponsors

Sponsors that joined recently are in bold.

Platinum sponsors:
- Toshiba Corporation (for 124 months)
- Civil Infrastructure Platform (CIP) (for 92 months)
- VyOS Inc (for 56 months)
Gold sponsors:
- F. Hoffmann-La Roche AG (for 134 months)
- CONET Deutschland GmbH (for 118 months)
- Plat’Home (for 117 months)
- University of Oxford (for 74 months)
- EDF SA (for 46 months)
- Dataport AöR (for 21 months)
- CERN (for 19 months)
Silver sponsors:
- Domeneshop AS (for 139 months)
- Nantes Métropole (for 133 months)
- Akamai - Linode (for 129 months)
- Univention GmbH (for 125 months)
- Université Jean Monnet de St Etienne (for 125 months)
- Ribbon Communications, Inc. (for 119 months)
- Exonet B.V. (for 109 months)
- Leibniz Rechenzentrum (for 103 months)
- Ministère de l’Europe et des Affaires Étrangères (for 87 months)
- Dinahosting SL (for 74 months)
- Upsun Formerly Platform.sh (for 68 months)
- Deveryware (for 62 months)
- Moxa Inc. (for 62 months)
- sipgate GmbH (for 60 months)
- OVH US LLC (for 58 months)
- Tilburg University (for 58 months)
- GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 49 months)
- THINline s.r.o. (for 22 months)
- Copenhagen Airports A/S (for 16 months)
- Conseil Départemental de l’Isère
Bronze sponsors:
- Seznam.cz, a.s. (for 140 months)
- Evolix (for 139 months)
- Linuxhotel GmbH (for 137 months)
- Intevation GmbH (for 136 months)
- Daevel SARL (for 135 months)
- Megaspace Internet Services GmbH (for 134 months)
- Greenbone AG (for 133 months)
- NUMLOG (for 133 months)
- WinGo AG (for 132 months)
- Entr’ouvert (for 124 months)
- Adfinis AG (for 121 months)
- Laboratoire LEGI - UMR 5519 / CNRS (for 116 months)
- Tesorion (for 116 months)
- Bearstech (for 107 months)
- LiHAS (for 107 months)
- Catalyst IT Ltd (for 102 months)
- Demarcq SAS (for 96 months)
- Université Grenoble Alpes (for 82 months)
- TouchWeb SAS (for 74 months)
- SPiN AG (for 71 months)
- CoreFiling (for 67 months)
- Observatoire des Sciences de l’Univers de Grenoble (for 58 months)
- Tem Innovations GmbH (for 53 months)
- WordFinder.pro (for 53 months)
- CNRS DT INSU Résif (for 51 months)
- Soliton Systems K.K. (for 47 months)
- Alter Way (for 44 months)
- Institut Camille Jordan (for 34 months)
- SOBIS Software GmbH (for 19 months)
- Tuxera Inc. (for 10 months)
- OPM-OP AS

ELA-1646-1 wireshark security update (by )

Mon, 16 Feb 2026 14:58:00 +0100

Package : wireshark

Version : 2.6.20-0+deb10u9~deb9u2 (stretch), 2.6.20-0+deb10u10 (buster)

Multiple vulnerabilities have been fixed in the network traffic analyzer Wireshark.

CVE-2024-9781

AppleTalk and RELOAD Framing dissector crash allows denial of service via packet injection or crafted capture file.

CVE-2024-11596

ECMP dissector crash allows denial of service via packet injection or crafted capture file.

CVE-2025-5601

Column handling crashes allows denial of service via packet injection or crafted capture file.

CVE-2025-11626

MONGO dissector infinite loop allows denial of service.

CVE-2025-13946

MEGACO dissector infinite loop in allows denial of service.

ELA-1645-1 clamav new upstream version (by )

Fri, 13 Feb 2026 16:40:22 +0100

Package : clamav

Version : 1.4.3+dfsg-1~deb10u1 (buster)

ELA-1644-1 linux-5.10 security update (by )

Fri, 13 Feb 2026 16:07:07 +0100

Package : linux-5.10

Version : 5.10.249-1~deb9u1 (stretch), 5.10.249-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

ELA-1643-1 linux-6.1 security update (by )

Fri, 13 Feb 2026 14:32:59 +0100

Package : linux-6.1

Version : 6.1.162-1~deb9u1 (stretch), 6.1.162-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

Debian Contributions: cross building, rebootstrap updates, Refresh of the patch tagging guidelines and more! (by Anupa Ann Joseph)

Anupa Ann Joseph — Thu, 12 Feb 2026 00:00:00 +0000

Debian Contributions: 2026-01

cross building, by Helmut Grohne

In version 1.10.1, Meson merged a patch to make it call the correct g-ir-scanner by default thanks to Eli Schwarz. This problem affected more than 130 source packages. Helmut retried building them all and filed 69 patches as a result. A significant portion of those packages require another Meson change to call the correct vapigen. Another notable change is converting gnu-efi to multiarch, which ended up requiring changes to a number of other packages. Since Aurelien dropped the libcrypt-dev dependency from libc6-dev, this transition now is mostly complete and has resulted in most of the Perl ecosystem correctly expressing perl-xs-dev dependencies needed for cross building. It is these infrastructure changes affecting several client packages that this work targets. As a result of this continued work, about 66% of Debian’s source packages now have satisfiable cross Build-Depends in unstable and about 10000 (55%) actually can be cross built. There are now more than 500 open bug reports affecting more than 2000 packages most of which carry patches.

rebootstrap, by Helmut Grohne

Maintaining architecture cross-bootstrap requires continued effort for adapting to archive changes such as glib2.0 dropping a build profile or an e2fsprogs FTBFS. Beyond those generic problems, architecture-specific problems with e.g. musl-linux-any or sparc may arise. While all these changes move things forward on the surface, the bootstrap tooling has become a growing pile of patches. Helmut managed to upstream two changes to glibc for reducing its Build-Depends in the stage2 build profile and thanks Aurelien Jarno.

Refresh of the patch tagging guidelines, by Raphaël Hertzog

Debian Enhancement Proposal #3 (DEP-3) is named “Patch Tagging Guidelines” and standardizes meta-information that Debian contributors can put in patches included in Debian source packages. With the feedback received over the years, and with the change in the package management landscape, the need to refresh those guidelines became evident. As the initial driver of that DEP, I spent a good day reviewing all the feedback (that I kept in a folder) and producing a new version of the document. The changes aim to give more weight to the syntax that is compatible with git format-patch’s output, and also to clarify the expected uses and meanings of a couple of fields, including some algorithm that parsers should follow to define the state of the patch. After the announcement of the new draft on debian-devel, the revised DEP-3 received a significant number of comments that I still have to process.

Miscellaneous contributions

Helmut uploaded debvm making it work with unstable as a target distribution again.
Helmut modernized the code base backing dedup.debian.net significantly expanding the support for type checking.
Helmut fixed the multiarch hinter once more given feedback from Fabian Grünbichler.
Helmut worked on migrating the rocblas package to forky.
Raphaël fixed RC bug #1111812 in publican and did some maintenance for tracker.debian.org.
Carles added support in the festival Debian package for systemd socket activation and systemd service and socket units. Adapted the patch for upstream and created a merge request (also fixed a MacOS X building system error while working on it). Updated Orca Wiki documentation regarding festival. Discussed a 2007 bug/feature in festival which allowed having a local shell and that the new systemd socket activation has the same code path.
Carles using po-debconf-manager worked on Catalan translations: 7 reviewed and sent; 5 follow ups, 5 deleted packages.
Carles made some po-debconf-manager changes: now it attaches the translation file on follow ups, fixed bullseye compatibility issues.
Carles reviewed a new Catalan apt translation.
Carles investigated and reported a lxhotkey bug and sent a patch for the “abcde” package.
Carles made minor updates for Debian Wiki for different pages (lxde for dead keys, Ripping with abcde troubleshooting, VirtualBox troubleshooting).
Stefano renamed build-details.json in Python 3.14 to fix multiarch coinstallability.
Stefano audited the tooling and ignore lists for checking the contents of the python3.X-minimal packages, finding and fixing some issues in the process.
Stefano made a few uploads of python3-defaults and dh-python in support of Python 3.14-as-default in Ubuntu. Also investigated the risk of ignoring byte-compilation failures by default, and started down the road of implementing this.
Stefano did some sysadmin work on debian.social infrastructure.
Stefano and Santiago worked on preparations for DebConf 26. Especially to help the local team on opening the registration, and reviewing the budget to be presented for approval.
Stefano uploaded routine updates of python-virtualenv and python-flexmock.
Antonio collaborated with DSA on enabling a new proxy for salsa to prevent scrapers from taking the service down.
Antonio did miscellaneous salsa administrative tasks.
Antonio fixed a few Ruby packages towards the Ruby 3.4 transition.
Antonio started work on planned improvements to the DebConf registration system.
Santiago prepared unstable updates for the latest upstream versions of knot-dns and knot-resolver. The authoritative DNS server and DNS resolver software developed by CZ.NIC. It is worth highlighting that, given the separation of functionality compared to other implementations, knot-dns and knot-resolver are also less complex software, which results in advantages in terms of security: only three CVEs have been reported for knot-dns since 2011).
Santiago made some routine reviews of merge requests proposed for the Salsa CI’s pipeline. E.g. a proposal to fix how sbuild chooses the chroot when building a package for experimental.
Colin fixed lots of Python packages to handle Python 3.14 and to avoid using the deprecated pkg_resources module.
Colin added forky support to the images used in Salsa CI pipelines.
Colin began working on getting a release candidate of groff 1.24.0 (the first upstream release since mid-2023, so a very large set of changes) into experimental.
Lucas kept working on the preparation for Ruby 3.4 transition. Some packages fixed (support build against Ruby 3.3 and 3.4): ruby-rbpdf, jekyll, origami-pdf, ruby-kdl, ruby-twitter, ruby-twitter-text, ruby-globalid.
Lucas supported some potential mentors in the Google Summer of Code 26 program to submit their projects.
Anupa worked on the point release announcements for Debian 12.13 and 13.3 from the Debian publicity team side.
Anupa attended the publicity team meeting to discuss the team activities and to plan an online sprint in February.
Anupa attended meetings with the Debian India team to plan and coordinate the MinDebConf Kanpur and sent out related Micronews.
Emilio coordinated various transitions and helped get rid of llvm-toolchain-17 from sid.

ELA-1642-1 python3.7 security update (by )

Tue, 10 Feb 2026 08:23:36 +0100

Package : python3.7

Version : 3.7.3-2+deb10u11 (buster)

Multiple security issues were discovered in Python, an interactive high-level object-oriented language. This may cause memory corruption, e-mail and HTTP headers injection, validation bypass of .zip archives, and denial of service (DoS).

CVE-2025-4516

There is an issue in CPython when using bytes.decode("unicode_escape", error="ignore|replace").
CVE-2025-6069

The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.
CVE-2025-6075

If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.
CVE-2025-8194

There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives.
CVE-2025-8291

The ‘zipfile’ module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the ‘zipfile’ module compared to other ZIP implementations.
CVE-2025-11468

When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.
CVE-2025-12084

When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.
CVE-2025-13837

When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues.
CVE-2025-15282

User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.
CVE-2026-0672

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
CVE-2026-1299

The email module, specifically the “BytesGenerator” class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.

ELA-1641-1 python3.5 security update (by )

Tue, 10 Feb 2026 08:23:30 +0100

Package : python3.5

Version : 3.5.3-1+deb9u12 (stretch)

Multiple security issues were discovered in Python, an interactive high-level object-oriented language. This may cause e-mail and HTTP headers injection, validation bypass of .zip archives, and denial of service (DoS).

CVE-2025-6069

The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.
CVE-2025-6075

If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.
CVE-2025-8194

There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives.
CVE-2025-8291

The ‘zipfile’ module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the ‘zipfile’ module compared to other ZIP implementations.
CVE-2025-12084

When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.
CVE-2025-13837

When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues.
CVE-2025-15282

User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.
CVE-2026-0672

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
CVE-2026-1299

The email module, specifically the “BytesGenerator” class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.

ELA-1640-1 python2.7 security update (by )

Tue, 10 Feb 2026 08:23:20 +0100

Package : python2.7

Version : 2.7.13-2+deb9u12 (stretch), 2.7.16-2+deb10u7 (buster)

Multiple security issues were discovered in Python, an interactive high-level object-oriented language. This may cause HTTP headers injection and denial of service (DoS).

CVE-2025-6069

The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.
CVE-2025-6075

If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.
CVE-2025-8194

There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives.
CVE-2025-12084

When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.
CVE-2026-0672

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.

ELA-1639-1 pypy security update (by )

Tue, 10 Feb 2026 08:23:13 +0100

Package : pypy

Version : 7.0.0+dfsg-3+deb10u3 (buster)

Multiple vulnerabilities were discovered in PyPy, a fast, compliant alternative implementation of the Python language.

All fixed vulnerabilities come from the embedded python2.7 standard library. Please refer to ELA-1640-1 for details.

Writing a new worker task for Debusine (by Carles Pina i Estany)

Carles Pina i Estany — Tue, 10 Feb 2026 00:00:00 +0000

Debusine is a tool designed for Debian developers and Operating System developers in general. You can try out Debusine on debusine.debian.net, and follow its development on salsa.debian.org.

This post describes how to write a new worker task for Debusine. It can be used to add tasks to a self-hosted Debusine instance, or to submit to the Debusine project new tasks to add new capabilities to Debusine.

Tasks are Debusine’s unit of work, and the lower-level pieces of Debusine workflows. Examples of tasks are Sbuild, Lintian, Debdiff (see the available tasks).

This post will document the steps to write a new basic worker task. The example will add a worker task that runs reprotest and creates an artifact of the new type ReprotestArtifact with the reprotest log.

Tasks are usually used by workflows. Workflows solve high-level goals by creating and orchestrating different tasks (e.g. a Sbuild workflow would create different Sbuild tasks, one for each architecture).

Overview of tasks

A task usually does the following:

It receives structured data defining its input artifacts and configuration
Input artifacts are downloaded
A process is run by the worker (e.g. lintian, debdiff, etc.). In this blog post, it will run reprotest
The output (files, logs, exit code, etc.) is analyzed, artifacts and relations might be generated, and the work request is marked as completed, either with Success or Failure

If you want to follow the tutorial and add the Reprotest task, your Debusine development instance should have at least one worker, one user, a debusine client set up, and permissions for the client to create tasks. All of this can be setup following the steps in the Contribute section of the documentation.

This blog post shows a functional Reprotest task. This task is not currently part of Debusine. The Reprotest task implementation is simplified (no error handling, unit tests, specific view, docs, some shortcuts in the environment preparation, etc.). At some point, in Debusine, we might add a debrebuild task which is based on buildinfo files and uses snapshot.debian.org to recreate the binary packages.

Defining the inputs of the task

The input of the reprotest task will be a source artifact (a Debian source package). We model the input with pydantic in debusine/tasks/models.py:

class ReprotestData(BaseTaskDataWithExecutor):
    """Data for Reprotest task."""

    source_artifact: LookupSingle

The ReprotestData is what the user will input. A LookupSingle is a lookup that resolves to a single artifact.

We would also have configuration for the desired variations to test, but we have left that out of this example for simplicity. Configuring variations is left as an exercise for the reader.

Since ReprotestData is a subclass of BaseTaskDataWithExecutor it also contains environment where the user can specify in which environment the task will run. The environment is an artifact with a Debian image.

Add the new `Reprotest` artifact data class

In order for the reprotest task to create a new Artifact of the type DebianReprotest with the log and output metadata: add the new category to ArtifactCategory in debusine/artifacts/models.py:

    REPROTEST = "debian:reprotest"

In the same file add the DebianReprotest class:

class DebianReprotest(ArtifactData):
    """Data for debian:reprotest artifacts."""

    reproducible: bool | None = None

    def get_label(self) -> str:
        """Return a short human-readable label for the artifact."""
        return "reprotest analysis"

It could also include the package name or version.

In the same file, map the REPROTEST category to its data model:

#: Index ArtifactData model classes by category
ARTIFACT_DATA_MODELS_BY_CATEGORY: dict[ArtifactCategory, type[ArtifactData]] = {
    …
    ArtifactCategory.REPROTEST: DebianReprotest,
}

(DebianReprotest must be defined above the ARTIFACT_DATA_MODELS_BY_CATEGORY dictionary)

In order to have the category listed in the work request output artifacts table, edit the file debusine/db/models/artifacts.py: In ARTIFACT_CATEGORY_ICON_NAMES add ArtifactCategory.REPROTEST: "folder", and in ARTIFACT_CATEGORY_SHORT_NAMES add ArtifactCategory.REPROTEST: "reprotest",.

Create the new Task class

In debusine/tasks/ create a new file reprotest.py.

reprotest.py

# Copyright © The Debusine Developers
# See the AUTHORS file at the top-level directory of this distribution
#
# This file is part of Debusine. It is subject to the license terms
# in the LICENSE file found in the top-level directory of this
# distribution. No part of Debusine, including this file, may be copied,
# modified, propagated, or distributed except according to the terms
# contained in the LICENSE file.

"""Task to use reprotest in debusine."""

from pathlib import Path
from typing import Any, override

from debusine import utils
from debusine.artifacts.local_artifact import ReprotestArtifact
from debusine.artifacts.models import (
    ArtifactCategory,
    DebianSourcePackage,
    DebianUpload,
    WorkRequestResults,
    get_source_package_name,
    get_source_package_version,
)
from debusine.client.models import RelationType
from debusine.tasks import BaseTaskWithExecutor, RunCommandTask, inputs
from debusine.tasks.inputs import Stage
from debusine.tasks.models import (
    BaseDynamicTaskDataWithExecutor,
    ReprotestData,
)


class Reprotest(
    RunCommandTask[ReprotestData, BaseDynamicTaskDataWithExecutor],
    BaseTaskWithExecutor[ReprotestData, BaseDynamicTaskDataWithExecutor],
):
    """Task to use reprotest in debusine."""

    TASK_VERSION = 1

    CAPTURE_OUTPUT_FILENAME = "reprotest.log"

    # Resolve environment from task data
    environment = inputs.EnvironmentInput(stage=Stage.PENDING)

    # Resolve source_artifact from task data into a specific artifact
    source_artifact = inputs.SingleInput(
        field="source_artifact",
        categories=(
            ArtifactCategory.SOURCE_PACKAGE,
            ArtifactCategory.UPLOAD,
        ),
        stage=Stage.PENDING,
    )

    def __init__(
        self,
        task_data: dict[str, Any],
        dynamic_task_data: dict[str, Any] | None = None,
    ) -> None:
        """Initialize object."""
        super().__init__(task_data, dynamic_task_data)

        self._reprotest_target: Path | None = None

    @override
    def get_subject(self) -> str | None:
        """Return the subject used to look up task configuration."""
        assert isinstance(
            self.source_artifact.data, (DebianSourcePackage, DebianUpload)
        )
        return get_source_package_name(self.source_artifact.data)

    def compute_dynamic_data(self) -> BaseDynamicTaskDataWithExecutor:
        """Compute and return BaseDynamicTaskData."""
        source_artifact = self.source_artifact
        assert isinstance(
            source_artifact.data, (DebianSourcePackage, DebianUpload)
        )
        package_name = get_source_package_name(source_artifact.data)
        version = get_source_package_version(source_artifact.data)

        return BaseDynamicTaskDataWithExecutor(
            environment_id=self.environment.artifact_id,
            subject=self.get_subject(),
            parameter_summary=f"{package_name}_{version}",
        )

    def fetch_input(self, destination: Path) -> bool:
        """Download the required artifacts."""
        assert self.dynamic_data

        artifact_id = self.source_artifact.artifact_id
        self.fetch_artifact(artifact_id, destination)

        return True

    def configure_for_execution(self, download_directory: Path) -> bool:
        """
        Find a .dsc in download_directory.

        Install reprotest and other utilities used in _cmdline.
        Set self._reprotest_target to it.

        :param download_directory: where to search the files
        :return: True if valid files were found
        """
        self._prepare_executor_instance()

        if self.executor_instance is None:
            raise AssertionError("self.executor_instance cannot be None")

        self.run_executor_command(
            ["apt-get", "update"],
            log_filename="install.log",
            run_as_root=True,
            check=True,
        )
        self.run_executor_command(
            [
                "apt-get",
                "--yes",
                "--no-install-recommends",
                "install",
                "reprotest",
                "dpkg-dev",
                "devscripts",
                "equivs",
                "sudo",
            ],
            log_filename="install.log",
            run_as_root=True,
        )

        self._reprotest_target = utils.find_file_suffixes(
            download_directory, [".dsc"]
        )
        return True

    def _cmdline(self) -> list[str]:
        """
        Build the reprotest command line.

        Use configuration of self.data and self._reprotest_target.
        """
        target = self._reprotest_target
        assert target is not None

        cmd = [
            "bash",
            "-c",
            f"TMPDIR=/tmp ; cd /tmp ; dpkg-source -x {target} package/; "
            "cd package/ ; mk-build-deps ; apt-get install --yes ./*.deb ; "
            "rm *.deb ; "
            "reprotest --vary=-time,-user_group,-fileordering,-domain_host .",
        ]

        return cmd

    @staticmethod
    def _cmdline_as_root() -> bool:
        r"""apt-get install --yes ./\*.deb must be run as root."""
        return True

    def task_result(
        self,
        returncode: int | None,
        execute_directory: Path,  # noqa: U100
    ) -> WorkRequestResults:
        """
        Evaluate task output and return success.

        For a successful run of reprotest:
        -must have the output file
        -exit code is 0

        :return: WorkRequestResults.SUCCESS or WorkRequestResults.FAILURE.
        """
        reprotest_file = execute_directory / self.CAPTURE_OUTPUT_FILENAME

        if reprotest_file.exists() and returncode == 0:
            return WorkRequestResults.SUCCESS

        return WorkRequestResults.FAILURE

    def upload_artifacts(
        self, exec_directory: Path, *, execution_result: WorkRequestResults
    ) -> None:
        """Upload the ReprotestArtifact with the files and relationships."""
        if not self.debusine:
            raise AssertionError("self.debusine not set")

        assert self.dynamic_data is not None
        assert self.dynamic_data.parameter_summary is not None

        reprotest_artifact = ReprotestArtifact.create(
            reprotest_output=exec_directory / self.CAPTURE_OUTPUT_FILENAME,
            reproducible=execution_result == WorkRequestResults.SUCCESS,
        )

        uploaded = self.debusine.upload_artifact(
            reprotest_artifact,
            workspace=self.workspace_name,
            work_request=self.work_request_id,
        )

        assert self.dynamic_data is not None
        self.debusine.relation_create(
            uploaded.id,
            self.source_artifact.artifact_id,
            RelationType.RELATES_TO,
        )

Below are the main parts with some basic explanation.

In order for Debusine to discover the task, in the file debusine/tasks/__init__.py add from debusine.tasks.reprotest import Reprotest; and , then in the list __all__ add "Reprotest".

Let’s explain the different parts of the Reprotest class:

Resolving inputs: input fields and dynamic data

The worker has no access to Debusine’s database. Lookups are all resolved before the task gets dispatched to a worker, so all it has to do is download the specified input artifacts.

The resolution is performed automatically by task input fields, which make the result of the resolution available as attributes of the task object.

Reprotest defines two members as input fields: environment and source_artifact, which resolve into InputArtifactSingle structures.

The get_subject method is used to compute the subject for looking up possible task configuration entries for this task, by representing the significant aspect of the task’s input: in this case, the source package name.

The compute_dynamic_data method is used when the task gets ready to be run, to perform the final consistency checks on the input fields and populate the rest of the dynamic task data. This structure holds information useful for displaying the task in the UI (like parameter_summary), for inspecting the lifetime of the task (subject, configuration_context), for statistics (runtime_context), and used to hold the IDs of artifacts before task input fields were introduced.

    def compute_dynamic_data(self) -> BaseDynamicTaskDataWithExecutor:
        """Compute and return BaseDynamicTaskData."""
        source_artifact = self.source_artifact
        assert isinstance(
            source_artifact.data, (DebianSourcePackage, DebianUpload)
        )
        package_name = get_source_package_name(source_artifact.data)
        version = get_source_package_version(source_artifact.data)

        return BaseDynamicTaskDataWithExecutor(
            environment_id=self.environment.artifact_id,
            subject=self.get_subject(),
            parameter_summary=f"{package_name}_{version}",
        )

`fetch_input` method

Download the required artifacts on the worker.

    def fetch_input(self, destination: Path) -> bool:
        """Download the required artifacts."""
        assert self.dynamic_data

        artifact_id = self.source_artifact.artifact_id
        self.fetch_artifact(artifact_id, destination)

        return True

`configure_for_execution` method

Install the packages needed by the task and set _reprotest_target, which is used to build the task’s command line.

    def configure_for_execution(self, download_directory: Path) -> bool:
        """
        Find a .dsc in download_directory.

        Install reprotest and other utilities used in _cmdline.
        Set self._reprotest_target to it.

        :param download_directory: where to search the files
        :return: True if valid files were found
        """
        self._prepare_executor_instance()

        if self.executor_instance is None:
            raise AssertionError("self.executor_instance cannot be None")

        self.run_executor_command(
            ["apt-get", "update"],
            log_filename="install.log",
            run_as_root=True,
            check=True,
        )
        self.run_executor_command(
            [
                "apt-get",
                "--yes",
                "--no-install-recommends",
                "install",
                "reprotest",
                "dpkg-dev",
                "devscripts",
                "equivs",
                "sudo",
            ],
            log_filename="install.log",
            run_as_root=True,
        )

        self._reprotest_target = utils.find_file_suffixes(
            download_directory, [".dsc"]
        )
        return True

`_cmdline` method

Return the command line to run the task.

In this case, and to keep the example simple, we will run reprotest directly in the worker’s executor VM/container, without giving it an isolated virtual server.

So, this command installs the build dependencies required by the package (so reprotest can build it) and runs reprotest itself.

    def _cmdline(self) -> list[str]:
        """
        Build the reprotest command line.

        Use configuration of self.data and self._reprotest_target.
        """
        target = self._reprotest_target
        assert target is not None

        cmd = [
            "bash",
            "-c",
            f"TMPDIR=/tmp ; cd /tmp ; dpkg-source -x {target} package/; "
            "cd package/ ; mk-build-deps ; apt-get install --yes ./*.deb ; "
            "rm *.deb ; "
            "reprotest --vary=-time,-user_group,-fileordering,-domain_host .",
        ]

        return cmd

Some reprotest variations are disabled. This is to keep the example simple with the set of packages to install and reprotest features.

`_cmdline_as_root` method

Since during the execution it’s needed to install packages, run it as root (in the container):

    @staticmethod
    def _cmdline_as_root() -> bool:
        r"""apt-get install --yes ./\*.deb must be run as root."""
        return True

`task_result` method

Task succeeded if a log is generated and the return code is 0.

    def task_result(
        self,
        returncode: int | None,
        execute_directory: Path,  # noqa: U100
    ) -> WorkRequestResults:
        """
        Evaluate task output and return success.

        For a successful run of reprotest:
        -must have the output file
        -exit code is 0

        :return: WorkRequestResults.SUCCESS or WorkRequestResults.FAILURE.
        """
        reprotest_file = execute_directory / self.CAPTURE_OUTPUT_FILENAME

        if reprotest_file.exists() and returncode == 0:
            return WorkRequestResults.SUCCESS

        return WorkRequestResults.FAILURE

`upload_artifacts` method

Create the ReprotestArtifact with the log and the reproducible boolean, upload it, and then add a relation between the ReprotestArtifact and the source package:

    def upload_artifacts(
        self, exec_directory: Path, *, execution_result: WorkRequestResults
    ) -> None:
        """Upload the ReprotestArtifact with the files and relationships."""
        if not self.debusine:
            raise AssertionError("self.debusine not set")

        assert self.dynamic_data is not None
        assert self.dynamic_data.parameter_summary is not None

        reprotest_artifact = ReprotestArtifact.create(
            reprotest_output=exec_directory / self.CAPTURE_OUTPUT_FILENAME,
            reproducible=execution_result == WorkRequestResults.SUCCESS,
        )

        uploaded = self.debusine.upload_artifact(
            reprotest_artifact,
            workspace=self.workspace_name,
            work_request=self.work_request_id,
        )

        assert self.dynamic_data is not None
        self.debusine.relation_create(
            uploaded.id,
            self.source_artifact.artifact_id,
            RelationType.RELATES_TO,
        )

Execution example

To run this task in a local Debusine (see steps to have it ready with an environment, permissions and users created) you can do:

$ python3 -m debusine.client artifact import-debian -w System http://deb.debian.org/debian/pool/main/h/hello/hello_2.10-5.dsc

(get the artifact ID from the output of that command)

The artifact can be seen in http://$DEBUSINE/debusine/System/artifact/$ARTIFACTID/.

Then create a reprotest.yaml:

$ cat <<EOF > reprotest.yaml
source_artifact: $ARTIFACT_ID
environment: "debian/match:codename=bookworm"
EOF

Instead of debian/match:codename=bookworm it could use the artifact ID.

Finally, create the work request to run the task:

$ python3 -m debusine.client create-work-request -w System reprotest --data reprotest.yaml

Using Debusine web you can see the work request, which should go to Running status, then Completed with Success or Failure (depending if reprotest could reproduce it or not). Clicking on the Output tab would have an artifact of type debian:reprotest with one file: the log. In the Metadata tab of the artifact it has Data: the package name and reproducible (true or false).

What is left to do?

This was a simple example of creating a task. Other things that could be done:

unit tests
documentation
configurable variations
running reprotest directly on the worker host, using the executor environment as a reprotest “virtual server”
in this specific example, the command line might be doing too many things that could maybe be done by other parts of the task, such as prepare_environment.
integrate it in a workflow so it’s easier to use (e.g. part of QaWorkflow)
extract more from the log than just pass/fail
display the output in a more useful way (implement an artifact specialized view)

ELA-1638-1 phpunit security update (by )

Mon, 09 Feb 2026 17:21:24 +0530

Package : phpunit

Version : 7.5.6-1+deb10u1 (buster)

Related CVEs : CVE-2026-24765

PHPUnit is a testing framework for PHP. A vulnerability has been discovered involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the cleanupForCoverage() method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious .coverage files are present prior to the execution of the PHPT test.

ELA-1637-1 tomcat9 security update (by )

Sat, 07 Feb 2026 12:06:45 +0100

Package : tomcat9

Version : 9.0.107-0+deb10u3 (buster)

Several security vulnerabilities have been found in Tomcat 9, a Java web server and servlet engine. The update corrects various flaws which can lead to a bypass of security constraints or a denial of service.

The regression update announced as ELA-1615-2 was incomplete. Some class files were still missing from jar files which are part of the libtomcat9-java binary package. In order to remedy this problem the following build-dependencies of tomcat9 have been upgraded to a new upstream release:

bnd
osgi-core
osgi-compendium
osgi-annotation
eclipse-jdt-core
felix-resolver

ELA-1636-1 xrdp security update (by )

Thu, 05 Feb 2026 20:27:46 +0530

Package : xrdp

Version : 0.9.9-1+deb10u5 (buster)

Related CVEs : CVE-2025-68670

xrdp is an open source RDP server. It was found that xrdp contains an unauthenticated stack-based buffer overflow vulnerability. The issue stems from improper bounds checking when processing user domain information during the connection sequence. If exploited, the vulnerability could allow remote attackers to execute arbitrary code on the target system.

ELA-1615-2 tomcat9 regression update (by )

Tue, 03 Feb 2026 11:46:46 +0100

Package : tomcat9

Version : 9.0.107-0+deb10u2 (buster)

The tomcat9 security update, released as ELA-1615-1, introduced a regression. Several classes were missing in tomcat9-jasper-el.jar and tomcat9-embed-el.jar due to toolchain changes between version 9.0.31 and 9.0.107 which required a newer version of bnd, a tool to create and diagnose OSGi bundles. Those classes have been restored.

ELA-1635-1 python-tornado security update (by )

Mon, 02 Feb 2026 00:28:14 +0100

Package : python-tornado

Version : 5.1.1-4+deb10u3 (buster)

Multiple vulnerabilities were discovered in python-tornado, a scalable, non-blocking Python web framework and asynchronous networking library.

CVE-2025-67724

Custom reason phrases can cause multiple vulnerabilities (like XSS,
header injection, ...) due to being used unescaped in HTTP headers.

CVE-2025-67725

A single maliciously crafted HTTP request can cause a possible DoS
due to quadratic performance of repeated header lines.

CVE-2025-67726

An inefficient algorithm when parsing parameters for HTTP header
values can potentially cause a DoS.

ELA-1634-1 pyasn1 security update (by )

Sun, 01 Feb 2026 23:20:10 +0530

Package : pyasn1

Version : 0.1.9-2+deb9u1 (stretch), 0.4.2-3+deb10u1 (buster)

Related CVEs : CVE-2026-23490

It was discovered that pyasn1, a generic ASN.1 library for Python, is prone to a denial of service vulnerability, which may result in memory exhaustion from malformed OID/RELATIVE-OID with excessive continuation octets.

ELA-1633-1 modsecurity-apache security update (by )

Sun, 01 Feb 2026 17:08:20 +0530

Package : modsecurity-apache

Version : 2.9.1-2+deb9u5 (stretch)

Related CVEs : CVE-2025-54571

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response’s Content-Type, which could lead to several issues depending on the HTTP scenario.

ELA-1632-1 ceph security update (by )

Sun, 01 Feb 2026 03:55:32 +0530

Package : ceph

Version : 10.2.11-2+deb9u4 (stretch), 12.2.11+dfsg1-2.1+deb10u3 (buster)

Related CVEs : CVE-2024-47866

Ceph is a distributed object, block, and file storage platform. Using the argument x-amz-copy-source to put an object and specifying an empty string as its content leads to the RGW daemon crashing, resulting in a DoS attack.

ELA-1631-1 libsodium security update (by )

Sun, 01 Feb 2026 03:41:31 +0530

Package : libsodium

Version : 1.0.17-1+deb10u1 (buster)

Related CVEs : CVE-2025-69277

It was discovered that the crypto_core_ed25519_is_valid_point() function of the Sodium cryptography library mishandled checks for valid elliptic curve points.

Join Freexian (by )

Fri, 30 Jan 2026 11:07:07 +0200

We are always looking for talented individuals who embrace our mission statement and our values. Have a look at the job descriptions below and feel free to apply if there’s a match!

Open positions

Senior Sales & Business Development Manager

We are seeking a proactive and results-driven Senior Sales & Business Development Manager to spearhead the next stage of growth for the sales and business development functions within our organization.

To date, Freexian’s growth has primarily been driven by our strong presence in the Debian community and positive word-of-mouth referrals. We believe there is significant potential to explore untapped markets and expand our reach further. In this role you will be responsible for developing and executing strategic sales plans & processes, identifying market opportunities, generating new leads, and fostering strong relationships with key clients. You will collaborate closely with leadership and service owners to ensure alignment between market needs and our service offerings, playing a key role in shaping our business strategy. This role requires strategic thinking, excellent communication skills, and a commitment to continuously improve our sales processes.

Click here to see the full job description and apply. Alternatively, you can also send a mail to job-sales-manager@freexian.odoo.com with your motivations and a PDF resume attached.

Positions with regular recruitment

Please be aware that we expect all technical staff to be official Debian members. If you don’t have that status yet, ideally you have some history of contributions and you should be willing to apply to Debian’s new member process.

We also expect candidates for technical positions to have the skills required to help with our LTS and ELTS services, and to be willing to work part-time on security updates for old versions of Debian (see Software developer role below).

To apply to one of the roles below, please reach out to the Freexian managers. Feel free to join a cover letter and a resume detailing diplomas or professional experiences you deem relevant.

Software developer

We need developers who are able to provide security updates for our customers. Requirements:

have a good understanding of computer security issues;
be able to read and write code in many different programming languages;
know Debian packaging and Debian security-related processes.

Developers will also be tasked to build Freexian’s internal infrastructure and new service offerings. Our software stack is based on Python (and Django for the web part).

Debian expert

We need Debian experts that have a broad experience in IT and building custom solutions with Debian. We have customers that are looking for our help to:

audit their infrastructure and workflows, often in relationship with building their own derivative;
troubleshoot problems;
package software for Debian;
better interact with Debian;
get advice on new projects, etc.

ELA-1630-1 dcmtk security update (by )

Wed, 28 Jan 2026 13:09:38 +0100

Package : dcmtk

Version : 3.6.4-2.1+deb10u5 (buster)

Related CVEs : CVE-2025-14607 CVE-2025-14841

Two vulnerabilities have been addressed in DCMTK, a collection of libraries and applications implementing large parts of the DICOM standard for medical images.

CVE-2025-14607

Possible memory corruption caused by illegal attributes in datasets which
are processed by DcmByteString functions.

CVE-2025-14841

Invalid messages sent to dcmqrscp, the Image Central Test Node, may
trigger a segmentation fault due to a NULL pointer being de-referenced.

ELA-1629-1 apache-log4j2 security update (by )

Wed, 28 Jan 2026 13:01:57 +0100

Package : apache-log4j2

Version : 2.17.1-1~deb10u2 (buster)

Related CVEs : CVE-2025-68161

In Apache Log4j2, a Java Logging Framework, the Socket Appender does not perform TLS hostname verification of the peer certificate, even when the verifyHostName configuration attribute or the log4j2.sslVerifyHostName system property is set to true. This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under specific and hard to exploit conditions.

ELA-1628-1 edk2 security update (by )

Wed, 28 Jan 2026 12:32:47 +0100

Package : edk2

Version : 2020.11-2+deb10u1 (buster)

Multiple security vulnerabilities have been fixed in EDK II, a modern, feature-rich, cross-platform firmware development environment. Remotely exploitable buffer overflows and out-of-bounds or infinite loop vulnerabilities may lead to a denial of service or the execution of arbitrary code.

ELA-1626-1 apache2 security update (by )

Mon, 26 Jan 2026 23:58:32 +0100

Package : apache2

Version : 2.4.25-3+deb9u22 (stretch)

Multiple vulnerabilities were fixed in apache HTTPD server, a popular webserver.

CVE-2025-58098

Apache HTTP Server with Server Side Includes (SSI) enabled
and mod_cgid (but not mod_cgi) passes the shell-escaped
query string to #exec cmd="..." directives

CVE-2025-65082

Improper Neutralization of Escape, Meta, or Control Sequences
vulnerability was found in Apache HTTP Server through
environment variables set via the Apache configuration
unexpectedly superseding variables calculated
by the server for CGI programs

CVE-2025-66200

A mod_userdir+suexec bypass vulnerability via AllowOverride FileInfo was
found in Apache HTTP Server. Users with access to use the RequestHeader directive
in htaccess can cause some CGI scripts to run under an unexpected userid.

ELA-1627-1 python-django security update (by )

Mon, 26 Jan 2026 11:40:09 -0800

Package : python-django

Version : 1:1.10.7-2+deb9u29 (stretch), 1:1.11.29-1+deb10u18 (buster)

Multiple vulnerabilities were discovered in Django, the Python-based web development framework:

CVE-2021-32052: Header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+.
CVE-2024-27351: Fix a potential regular expression denial-of-service (“ReDoS”) attack in django.utils.text.Truncator.words. This method (with html=True) and the truncatewords_html template filter were subject to a potential regular expression denial-of-service attack via a suitably crafted string. This is, in part, a follow up to CVE-2019-14232 and CVE-2023-43665.
CVE-2024-39614: Fix a potential denial-of-service in django.utils.translation.get_supported_language_variant. This method was subject to a potential DoS attack when used with very long strings containing specific characters. To mitigate this vulnerability, the language code provided to get_supported_language_variant is now parsed up to a maximum length of 500 characters.
CVE-2024-45231: Potential user email enumeration via response status on password reset. Due to unhandled email sending failures, the django.contrib.auth.forms.PasswordResetForm class allowed remote attackers to enumerate user emails by issuing password reset requests and observing the outcomes. To mitigate this risk, exceptions occurring during password reset email sending are now handled and logged using the django.contrib.auth logger.

ELA-1625-1 apache2 security update (by )

Mon, 26 Jan 2026 19:17:53 +0100

Package : apache2

Version : 2.4.59-1~deb10u6 (buster)

Multiple vulnerabilities were fixed in apache HTTPD server, a popular webserver.

CVE-2025-55753

Update mod_md to v2.6.6

An integer overflow was found. In the case of failed ACME certificate
renewal leads, after a number of failures (~30 days in default
configurations), to the backoff timer becoming 0. Attempts to renew
the certificate then are repeated without delays until it succeeds

CVE-2025-58098

Apache HTTP Server with Server Side Includes (SSI) enabled
and mod_cgid (but not mod_cgi) passes the shell-escaped
query string to #exec cmd="..." directives

CVE-2025-65082

Improper Neutralization of Escape, Meta, or Control Sequences
vulnerability was found in Apache HTTP Server through
environment variables set via the Apache configuration
unexpectedly superseding variables calculated
by the server for CGI programs

CVE-2025-66200

A mod_userdir+suexec bypass vulnerability via AllowOverride FileInfo was
found in Apache HTTP Server. Users with access to use the RequestHeader directive
in htaccess can cause some CGI scripts to run under an unexpected userid.

ELA-1624-1 imagemagick security update (by )

Mon, 26 Jan 2026 17:13:58 +0100

Package : imagemagick

Version : 8:6.9.7.4+dfsg-11+deb9u25 (stretch), 8:6.9.10.23+dfsg-2.1+deb10u14 (buster)

Multiple vulnerabilities were fixed in imagemagick an image manipulation software suite.

CVE-2026-23874

A stack overflow was found via infinite recursion in
MSL (Magick Scripting Language) `<write>` command when
writing to MSL format.

CVE-2026-23876

A heap buffer overflow vulnerability was found in the XBM
image decoder (ReadXBMImage) allows an attacker to write
controlled data past the allocated heap buffer when
processing a maliciously crafted image file.
Any operation that reads or identifies an image can
trigger the overflow, making it exploitable via common
image upload and processing pipelines.

CVE-2026-23952

NULL pointer dereference was found in MSL parser via <comment>
tag before image load

ELA-1623-1 openjdk-11 security update (by )

Mon, 26 Jan 2026 16:30:22 +0100

Package : openjdk-11

Version : 11.0.30+7-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in incorrect certificate validation, CRLF injection or man-in-the-middle attacks.

ELA-1622-1 php7.3 security update (by )

Sun, 25 Jan 2026 19:23:14 +0100

Package : php7.3

Version : 7.3.31-1~deb10u12 (buster)

Related CVEs : CVE-2025-14178

Security issues were found in PHP, a widely-used open source general purpose scripting language, which could result in server side request forgery or denial of service.

CVE-2025-14178: Heap buffer overflow in array_merge().
GHSA-www2-q4fc-65wf: dns_get_record() and other DNS functions don’t have any null contain check, which may lead to SSRF or unexpected behavior. While this has a (low) security impact, no CVE ID was assigned for this vulnerability yet.

ELA-1621-1 taglib security update (by )

Sun, 25 Jan 2026 13:28:39 +0100

Package : taglib

Version : 1.11.1+dfsg.1-0.3+deb9u2 (stretch), 1.11.1+dfsg.1-0.3+deb10u2 (buster)

Related CVEs : CVE-2023-47466

An issues has been found in taglib, an audio meta-data library. The issue is related to a segmentation violation and a resulting application crash due to processing a crafted WAV file in which an id3 chunk is the only valid chunk.

ELA-1620-1 zvbi security update (by )

Sun, 25 Jan 2026 13:26:36 +0100

Package : zvbi

Version : 0.2.35-13+deb9u1 (stretch), 0.2.35-16+deb10u1 (buster)

Several issues have been found in zvbi, a Vertical Blanking Interval decoder. CVE-2025-2173 is related to an uninitialized pointer in src/conv.c:: vbi_strndup_iconv_ucs2() The other issues are related to integer overflows in several functions distributed all over the code.

ELA-1619-1 inetutils security update (by )

Sun, 25 Jan 2026 12:27:45 +0100

Package : inetutils

Version : 1.9.4-2+deb9u4 (stretch), 2:1.9.4-7+deb10u4 (buster)

Related CVEs : CVE-2026-24061

Kyu Neushwaistein aka Carlos Cortes Alvarez found that inetutils, a collection of common network programs, was vulnerable to an authentication bypass problem in telnetd, which could lead to remote root shell access (if telnetd is enabled and exposed).

As described also in the GNU InetUtils security advisory, it is not recommended to run telnetd server at all. At a minimum, restrict network access to the telnet port to trusted clients only. There is after all no encryption built into the telnet protocol, so authentication details would be sent in plain text over the network (which thus needs to be trusted).

For more details see the GNU InetUtils Security Advisory: https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html

ELA-1618-1 python-urllib3 security update (by )

Fri, 23 Jan 2026 16:58:20 +0100

Package : python-urllib3

Version : 1.24.1-1+deb10u5 (buster)

Related CVEs : CVE-2026-21441

It was discovered that python-urllib3, an HTTP library with thread-safe connection pooling for Python, was reading the entire response body to drain the connection and unnecessarily decompressed the content when following HTTP redirects via the streaming API.

This decompression occured in way that bypassed the library’s decompression-bomb safeguards. A malicious server could therefore exploit this behavior to trigger denial of service on the client due to excessive resource consumption (high CPU usage and large memory allocations).

ELA-1617-1 gpsd security update (by )

Mon, 19 Jan 2026 22:36:05 +0100

Package : gpsd

Version : 3.17-7+deb10u1 (buster)

Related CVEs : CVE-2025-67268 CVE-2025-67269

Multiple vulnerabilities were found in gpsd, a service daemon that monitors Global Navigation Satellite System (GNSS) receivers attached to a host computer through serial or USB ports.

CVE-2025-67268

gpsd contains a heap-based out-of-bounds write
vulnerability in the drivers/driver_nmea2000.c file.
The hnd_129540 function, which handles NMEA2000 PGN 129540
(GNSS Satellites in View) packets, fails to validate the
user-supplied satellite count against the size of the skyview
array (184 elements). This allows an attacker to write beyond
the bounds of the array by providing a satellite count up
to 255, leading to memory corruption, Denial of Service (DoS),
and potentially arbitrary code execution.

CVE-2025-67269

An integer underflow vulnerability exists in the `nextstate()`
function in `gpsd/packet.c`.
When parsing a NAVCOM packet, the payload length is calculated
using `lexer->length = (size_t)c - 4` without checking if
the input byte `c` is less than 4. This results in an unsigned
integer underflow, setting `lexer->length` to a very large value
(near `SIZE_MAX`). The parser then enters a loop attempting to
consume this massive number of bytes, causing 100% CPU utilization
and a Denial of Service (DoS) condition.

ELA-1616-1 cjose security update (by )

Mon, 19 Jan 2026 02:46:32 +0100

Package : cjose

Version : 0.4.1-3+deb9u1 (stretch)

Related CVEs : CVE-2023-37464

It was discovered that the AES GCM decryption routine of cjose, a C library implementing the JOSE standard, incorrectly uses the tag length from the actual authentication tag provided in the JWE instead of the specified fixed length of 16 bytes.

This allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly.

ELA-1615-1 tomcat9 security update (by )

Sat, 17 Jan 2026 15:22:40 +0100

Package : tomcat9

Version : 9.0.107-0+deb10u1 (buster)

Several security vulnerabilities have been found in Tomcat 9, a Java web server and servlet engine. Most notably the update improves the handling of HTTP/2 connections and corrects various flaws which can lead to uncontrolled resource consumption and a Denial of Service (DoS)

A risk analysis was carried out, and it was determined that the best available solution was to backport the bullseye version of Tomcat to buster. This decision means that upon installing this update users of Tomcat in buster will be moving from a Tomcat version of 9.0.31 to 9.0.107.

Unfortunately, some minor incompatibilities may arise, as documented at the end of this advisory.

CVE-2024-34750: Tomcat was affected by an improper handling of exceptional conditions vulnerability. Tomcat mishandled excessive HTTP/2 headers, causing stream miscounts and infinite timeouts that allowed connections to remain open and trigger a denial of service.
CVE-2024-54677: Tomcat was affected by an uncontrolled resource consumption vulnerability. Crafted requests to the bundled examples app could exhaust resources and lead to denial of service.
CVE-2025-31650: Tomcat was affected by an improper input validation vulnerability. Invalid HTTP priority headers were not cleaned up correctly, causing memory leaks that could accumulate and result in an OutOfMemoryException and denial of service.
CVE-2025-31651: Tomcat was affected by an improper neutralization vulnerabiltiy. Certain rewrite rule configurations allowed specially crafted requests to bypass rewrite rules, potentially bypassing associated security constraints.
CVE-2025-46701: Tomcat was affected by an improper handling of case sensitivity vulnerability. The CGI servlet failed to correctly enforce case‑sensitive pathInfo checks, enabling attackers to bypass security constraints by altering URL casing.
CVE-2025-48976: Tomcat was affected by an allocation of resources without limits vulnerabilty. Multipart headers could be crafted in large numbers to consume excessive memory, enabling Denial of Service (DoS).
CVE-2025-48988: Tomcat was affected by an allocation of resources without limits vulnerabilty. Tomcat allowed multipart uploads with many large headers, enabling attackers to exhaust memory and cause Denial of Service (DoS)
CVE-2025-49125: Tomcat was affected by an authentication bypass vulnerability. PreResources or PostResources mounted outside the root could be accessed through unexpected paths not protected by the intended security constraints, enabling bypass of authentication rules.
CVE-2025-52434: Tomcat was affected by a race condition. Improper synchronization during client‑initiated HTTP/2 connection closes could trigger crashes in the APR/Native connector, leading to Denial of Service (DoS).
CVE-2025-52520: Tomcat was affected by an integer overflow. Certain multipart upload configurations could trigger an integer overflow, allowing attackers to bypass size limits and cause Denial of Service (DoS)
CVE-2025-53506: Tomcat was affected by an uncontrolled resource consumption vulnerability. If an HTTP/2 client failed to acknowledge the initial settings frame, Tomcat could allow excessive concurrent streams, resulting in Denial of Service (DoS)

To remediate vulnerabilities in the Tomcat 9 server stack, an upgrade was performed instead of applying minimal patching. The following notworthy changes where identified:

Hardened AJP connector: secretRequired defaults to true. A workarround is to requires explicit config: secretRequired=“false” or better from a security point of view set a secret
Deprecated RemoteAddrFilter and RemoteHostFilter. You may migrate to RemoteCIDRFilter and RemoteCIDRValve
Fix of Session ID propagation for SSO Valve. This may break SSO.

Monthly report about Debian Long Term Support, December 2025 (by Santiago Ruano Rincón)

Santiago Ruano Rincón — Fri, 16 Jan 2026 00:00:00 +0000

The Debian LTS Team, funded by [Freexian’s Debian LTS offering] (https://www.freexian.com/lts/debian/), is pleased to report its activities for December.

Activity summary

During the month of December, 18 contributors have been paid to work on Debian LTS (links to individual contributor reports are located below).

The team released 41 DLAs fixing 252 CVEs.

The team currently focuses on preparing security updates for Debian 11 “bullseye”, but also looks for contributing with updates for Debian 12 “bookworm”, Debian 13 “trixie” and even Debian unstable.

Notable security updates:

libsoup2.4 (DLA-4398-1), prepared by Andreas Henrikson, fixing several vulnerabilities.
glib2.0 (DLA-4412-1), published by Emilio Pozuelo Monfort, addressing multiple issues.
lasso (DLA-4397-1), prepared by Sylvain Beucler, addressing multiple issues, including a critical remote code execution (RCE) vulnerability (CVE-2025-47151)
roundcube (DLA 4415-1), prepared by Guilhem Moulin, fixing a cross-site-scripting (XSS) (CVE-2025-68461) and an information disclosure (CVE-2025-68460) vulnerabilities
mediawiki (DLA 4428-1), published by Guilhem, fixing multiple vulnerabilities could lead to information disclosure, denial of service or privilege escalation.
While the DLA has not been published yet, Charles Henrique Melara proposed upstream fixes for seven CVEs in ffmpeg: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21275.
python-apt (DLA 4408-1), prepared by Utkarsh Gupta, in coordination with the Debian Security Team and Julian Andres Klode, the apt’s maintainer.
libpng1.6 (DLA-4396-1), published by Tobias Frost, completing the work started the previous month.

Notable non-security updates:

tzdata (DLA-4403-1), prepared by Emilio, including the latest changes to the leap second list and its expiry date, which was set for the end of December.

Contributions from outside the LTS Team:

Christoph Berg, co-maintainer of PostgreSQL in Debian, prepared a postgresql-13 update, released as DLA-4420-1

The LTS Team has also contributed with updates to the latest Debian releases:

Andreas proposed trixie and bookworm point updates for pgbouncer
Abhijith PA prepared a bookworm point update for php-dompdf
Thorsten Alteholz prepared an unstable update and a trixie point update for libcoap3
Thorsten prepared or completed different updates for unstable, trixie and bookworm for packages related to cups: an unstable update of cups to fix several issues related to the latest security update, a trixie point update for libcupsfilters, and trixie and bookworm point updates for cups-filter.
Bastien Roucariès prepared unstable, trixie and bookworm point updates for imagemagick
Bastien completed the bookworm point update for angular.js and the bookworm point update for squid.
Charles completed the bookworm point update for gdk-pixbuf.
Utkarsh prepared a trixie update for wordpress, that was released as DSA-6091-1.
Tobias prepared bookworm and trixie updates for libpng1.6, released as DSA-6076-1.
Tobias prepared sogo updates targeting unstable, and point updates of trixie and bookworm

Individual Debian LTS contributor reports

Thanks to our sponsors

Sponsors that joined recently are in bold.

Platinum sponsors:
- Toshiba Corporation (for 123 months)
- Civil Infrastructure Platform (CIP) (for 91 months)
- VyOS Inc (for 55 months)
Gold sponsors:
- F. Hoffmann-La Roche AG (for 133 months)
- CONET Deutschland GmbH (for 117 months)
- Plat’Home (for 116 months)
- University of Oxford (for 73 months)
- EDF SA (for 45 months)
- Dataport AöR (for 20 months)
- CERN (for 18 months)
Silver sponsors:
- Domeneshop AS (for 138 months)
- Nantes Métropole (for 132 months)
- Akamai - Linode (for 128 months)
- Univention GmbH (for 124 months)
- Université Jean Monnet de St Etienne (for 124 months)
- Ribbon Communications, Inc. (for 118 months)
- Exonet B.V. (for 108 months)
- Leibniz Rechenzentrum (for 102 months)
- Ministère de l’Europe et des Affaires Étrangères (for 86 months)
- Dinahosting SL (for 73 months)
- Upsun Formerly Platform.sh (for 67 months)
- Deveryware (for 61 months)
- Moxa Inc. (for 61 months)
- sipgate GmbH (for 59 months)
- OVH US LLC (for 57 months)
- Tilburg University (for 57 months)
- GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 48 months)
- THINline s.r.o. (for 21 months)
- Copenhagen Airports A/S (for 15 months)
- Conseil Départemental de l’Isère
Bronze sponsors:
- Seznam.cz, a.s. (for 139 months)
- Evolix (for 138 months)
- Intevation GmbH (for 135 months)
- Linuxhotel GmbH (for 135 months)
- Daevel SARL (for 134 months)
- Megaspace Internet Services GmbH (for 133 months)
- Greenbone AG (for 132 months)
- NUMLOG (for 132 months)
- WinGo AG (for 131 months)
- Entr’ouvert (for 123 months)
- Adfinis AG (for 120 months)
- Laboratoire LEGI - UMR 5519 / CNRS (for 115 months)
- Tesorion (for 115 months)
- Bearstech (for 106 months)
- LiHAS (for 106 months)
- Catalyst IT Ltd (for 101 months)
- Demarcq SAS (for 95 months)
- Université Grenoble Alpes (for 81 months)
- TouchWeb SAS (for 73 months)
- SPiN AG (for 70 months)
- CoreFiling (for 66 months)
- Observatoire des Sciences de l’Univers de Grenoble (for 57 months)
- Tem Innovations GmbH (for 52 months)
- WordFinder.pro (for 52 months)
- CNRS DT INSU Résif (for 50 months)
- Soliton Systems K.K. (for 46 months)
- Alter Way (for 43 months)
- Institut Camille Jordan (for 33 months)
- SOBIS Software GmbH (for 18 months)
- Tuxera Inc. (for 9 months)
- OPM-OP AS

ELA-1613-1 postgresql-9.6 security update (by )

Thu, 15 Jan 2026 20:18:43 +0100

Package : postgresql-9.6

Version : 9.6.24-0+deb9u10 (stretch)

Multiple vulnerabilities were fixed in PostgreSQL, a popular database.

CVE-2025-4207: Buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. This affects the database server and also libpq.
CVE-2025-8713: PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access. Separately, statistics allow a user to read sampled data that a row security policy intended to hide. PostgreSQL maintains statistics for tables by sampling data available in columns; this data is consulted during the query planning process. Prior to this release, a user could craft a leaky operator that bypassed view access control lists (ACLs) and bypassed row security policies in partitioning or table inheritance hierarchies. Reachable statistics data notably included histograms and most-common-values lists. CVE-2017-7484 and CVE-2019-10130 intended to close this class of vulnerability, but this gap remained.
CVE-2025-8714: Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore is affected when used to generate a plain-format dump. This is similar to MySQL CVE-2024-21096.
CVE-2025-8715: Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also affected. CVE-2012-0868 had fixed this class of problem, but version 11.20 reintroduced it.
CVE-2025-12818: Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq.

ELA-1612-1 postgresql-11 security update (by )

Thu, 15 Jan 2026 20:12:30 +0100

Package : postgresql-11

Version : 11.22-0+deb10u6 (buster)

Multiple vulnerabilities were fixed in PostgreSQL, a popular database.

CVE-2025-4207: Buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. This affects the database server and also libpq.
CVE-2025-8713: PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access. Separately, statistics allow a user to read sampled data that a row security policy intended to hide. PostgreSQL maintains statistics for tables by sampling data available in columns; this data is consulted during the query planning process. Prior to this release, a user could craft a leaky operator that bypassed view access control lists (ACLs) and bypassed row security policies in partitioning or table inheritance hierarchies. Reachable statistics data notably included histograms and most-common-values lists. CVE-2017-7484 and CVE-2019-10130 intended to close this class of vulnerability, but this gap remained.
CVE-2025-8714: Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore is affected when used to generate a plain-format dump. This is similar to MySQL CVE-2024-21096.
CVE-2025-8715: Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also affected. CVE-2012-0868 had fixed this class of problem, but version 11.20 reintroduced it.
CVE-2025-12817: Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail.
CVE-2025-12818: Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq.

ELA-1614-1 linux-6.1 security update (by )

Thu, 15 Jan 2026 19:25:33 +0100

Package : linux-6.1

Version : 6.1.159-1~deb9u1 (stretch), 6.1.159-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

ELA-1611-1 samba security update (by )

Thu, 15 Jan 2026 16:42:13 +0100

Package : samba

Version : 2:4.5.16+dfsg-1+deb9u6 (stretch), 2:4.9.5+dfsg-5+deb10u6 (buster)

Related CVEs : CVE-2025-9640

A vulnerability was found in Samba, a SMB/CIFS file, print, and login server for Unix, in the streams_xattr VFS server module, where uninitialized heap memory could be written into alternate data streams. An authenticated attacker can read residual memory content that may include sensitive data.

ELA-1610-1 gnupg2 security update (by )

Wed, 14 Jan 2026 15:17:22 -0500

Package : gnupg2

Version : 2.1.18-8~deb9u6 (stretch), 2.2.12-1+deb10u3 (buster)

Related CVEs : CVE-2025-68973

Several issues have been discovered in gnupg2, a tool for secure communication and data storage.

CVE-2025-68973

There exist memory corruptions in the armor parsing code of GnuPG
that can be exploited to provide primitives like out of bounds
buffer read and write. This might be exploitable to the point of
remote code execution (RCE).

Additional issues:

+ Potential key signature digest algorithm downgrade.

  GnuPG may downgrade the message digest algorithm to insecure SHA1
  algorithm during signature checking due to reading from
  uninitialized memory. This reduces the security of User ID
  Certification Signatures to that of SHA1. SHA1 suffers from known
  cryptographic weaknesses like chosen prefix attacks.

+ Multiple plaintext attack on detached PGP signatures.

  An attacker can arbitrarily swap the plaintext shown to a GnuPG
  user, when the user verifies a detached signature versus views it
  with `--decrypt`. This attack allows deceiving users verifying
  messages, following GnuPG usage best practices about the content
  of a message signed with a detached signature. Note, that it is
  possible in many scenarios to convert between signature types,
  i.e., convert a different signature type to a detached signature.

+ GnuPG Accepts Path Separators and Path Traversals in Literal Data.

  GnuPG accepts arbitrary file paths in the unsigned Literal Data
  packet filename field and uses that value without sufficient
  sanitization. In combination with tricking a user with ANSI
  formatted output that changes GnuPG output with deceptive apparent
  GnuPG logs, this can lead to creation or overwrite of any file on
  the system the user can write to, including executable files which
  the user may later execute.

Debian Contributions: dh-python development, Python 3.14 and Ruby 3.4 transitions, Surviving scraper traffic in Debian CI and more! (by Anupa Ann Joseph)

Anupa Ann Joseph — Tue, 13 Jan 2026 00:00:00 +0000

Debian Contributions: 2025-12

dh-python development, by Stefano Rivera

In Debian we build our Python packages with the help of a debhelper-compatible tool, dh-python. Before starting the 3.14 transition (that would rebuild many packages) we landed some updates to dh-python to fix bugs and add features. This started a month of attention on dh-python, iterating through several bug fixes, and a couple of unfortunate regressions.

dh-python is used by almost all packages containing Python (over 5000). Most of these are very simple, but some are complex and use dh-python in unexpected ways. It’s hard to avoid almost any change (including obvious bug fixes) from causing some unexpected knock-on behaviour. There is a fair amount of complexity in dh-python, and some rather “clever” code, which can make it tricky to work on.

All of this means that good QA is important. Stefano spent some time adding type annotations and specialized types to make it easier to see what the code is doing and catch mistakes. This has already made work on dh-python easier.

Now that Debusine has built-in repositories and debdiff support, Stefano could quickly test the effects of changes on many other packages. After each big change, he could upload dh-python to a repository, rebuild e.g. 50 Python packages with it, and see what differences appeared in the output. Reviewing the diffs is still a manual process, but can be improved.

Stefano did a small test on what it would take to replace direct setuptools setup.py calls with PEP-517 (pyproject-style) builds. There is more work to do here.

Python 3.14 transition, by Stefano Rivera (et al.)

In December the transition to add Python 3.14 as a supported version started in Debian unstable. To do this, we update the list of supported versions in python3-defaults, and then start rebuilding modules with C extensions from the leaves inwards. This had already been tested in a PPA and Ubuntu, so many of the biggest blocking compatibility issues with 3.14 had already been found and fixed. But there are always new issues to discover.

Thanks to a number of people in the Debian Python team, we got through the first bit of the transition fairly quickly. There are still a number of open bugs that need attention and many failed tests blocking migration to testing.

Python 3.14.1 released just after we started the transition, and very soon after, a follow-up 3.14.2 release came out to address a regression. We ran into another regression in Python 3.14.2.

Ruby 3.4 transition, by Lucas Kanashiro (et al.)

The Debian Ruby team just started the preparation to move the default Ruby interpreter version to 3.4. At the moment, ruby3.4 source package is already available in experimental, also ruby-defaults added support to Ruby 3.4. Lucas rebuilt all reverse dependencies against this new version of the interpreter and published the results here. Lucas also reached out to some stakeholders to coordinate the work.

Next steps are: 1) announcing the results to the whole team and asking for help to fix packages failing to build against the new interpreter; 2) file bugs against packages FTBFSing against Ruby 3.4 which are not fixed yet; 3) once we have a low number of build failures against Ruby 3.4, ask the Debian Release team to start the transition in unstable.

Surviving scraper traffic in Debian CI, by Antonio Terceiro

Like most of the open web, Debian Continuous Integration has been struggling for a while to keep up with the insatiable hunger from data scrapers everywhere. Solving this involved a lot of trial and error; the final result seems to be stable, and consists of two parts.

First, all Debian CI data pages, except the direct links to test log files (such as those provided by the Release Team’s testing migration excuses), now require users to be authenticated before being accessed. This means that the Debian CI data is no longer publicly browseable, which is a bit sad. However, this is where we are now.

Additionally, there is now a fail2ban powered firewall-level access limitation for clients that display an abusive access pattern. This went through several iterations, with some of them unfortunately blocking legitimate Debian contributors, but the current state seems to strike a good balance between blocking scrapers and not blocking real users. Please get in touch with the team on the #debci OFTC channel if you are affected by this.

A hybrid dependency solver for crossqa.debian.net, by Helmut Grohne

crossqa.debian.net continuously cross builds packages from the Debian archive. Like Debian’s native build infrastructure, it uses dose-builddebcheck to determine whether a package’s dependencies can be satisfied before attempting a build. About one third of Debian’s packages fail this check, so understanding the reasons is key to improving cross building. Unfortunately, dose-builddebcheck stops after reporting the first problem and does not display additional ones.

To address this, a greedy solver implemented in Python now examines each build-dependency individually and can report multiple causes. dose-builddebcheck is still used as a fall-back when the greedy solver does not identify any problems. The report for bazel-bootstrap is a lengthy example.

rebootstrap, by Helmut Grohne

Due to the changes suggested by Loongson earlier, rebootstrap now adds debhelper to its final installability test and builds a few more packages required for installing it. It also now uses a variant of build-essential that has been marked Multi-Arch: same (see foundational work from last year).

This in turn made the use of a non-default GCC version more difficult and required more work to make it work for gcc-16 from experimental. Ongoing archive changes temporarily regressed building fribidi and dash. libselinux and groff have received patches for architecture specific changes and libverto has been NMUed to remove the glib2.0 dependency.

Miscellaneous contributions

Stefano did some administrative work on debian.social and debian.net instances and Debian reimbursements.
Stefano did routine updates of python-authlib, python-mitogen, xdot.
Stefano spent several hours discussing Debian’s Python package layout with the PyPA upstream community. Debian has ended up with a very different on-disk installed Python layout than other distributions, and this continues to cause some frustration in many communities that have to have special workarounds to handle it. This ended up impacting cross builds as Helmut discovered.
Raphaël set up Debusine workflows for the various backports repositories on debusine.debian.net.
Zulip is not yet in Debian (RFP in #800052), but Raphaël helped on the French translation as he is experimenting with that discussion platform.
Antonio performed several routine Salsa maintenance tasks, including fixing salsa-nm-sync, the service that synchronizes project members data from LDAP to Salsa, which had been broken since salsa.debian.org was upgraded to “trixie”.
Antonio deployed a new amd64 worker host for Debian CI.
Antonio did several DebConf technical and administrative bits, including but adding support for custom check-in/check-out dates in the MiniDebConf registration module, publishing a call for bids for DebConf27.
Carles reviewed and submitted 14 Catalan translations using po-debconf-manager.
Carles improved po-debconf-manager: added “delete-package” command, “show-information” now uses properly formatted output (YAML), it now attaches the translation on the bug reports for which a merge request has been opened too long.
Carles investigated why some packages appeared in po-debconf-manager but not in the Debian l10n list. Turns out that some packages had debian/po/templates.pot (appearing in po-debconf-manager) but not the POTFILES.in file as expected. Created a script to find out which packages were in this or similar situation and reported bugs.
Carles tested and documented how to set up voices (mbrola and festival) if using Orca speech synthesizer. Commented a few issues and possible improvements in the debian-accessibility list.
Helmut sent patches for 48 cross build failures and initiated discussions on how to deal with two non-trivial matters. Besides Python mentioned above, CMake introduced a cmake_pkg_config builtin which is not aware of the host architecture. He also forwarded a Meson patch upstream.
Thorsten uploaded a new upstream version of cups to fix a nasty bug that was introduced by the latest security update.
Along with many other Python 3.14 fixes, Colin fixed a tricky segfault in python-confluent-kafka after a helpful debugging hint from upstream.
Colin upstreamed an improved version of an OpenSSH patch we’ve been carrying since 2008 to fix misleading verbose output from scp.
Colin used Debusine to coordinate transitions for astroid and pygments, and wrote up the astroid case on his blog.
Emilio helped with various transitions, and provided a build fix for opencv for the ffmpeg 8 transition.
Emilio tested the GNOME updates for “trixie” proposed updates (gnome-shell, mutter, glib2.0).
Santiago helped to review the status of how to test different build profiles in parallel on the same pipeline, using the test-build-profiles job. This means, for example, to simultaneously test build profiles such as nocheck and nodoc for the same git tree. Finally, Santiago provided MR !685 to fix the documentation.
Anupa prepared a bits post for Outreachy interns announcement along with Tássia Camões Araújo and worked on publicity team tasks.

ELA-1609-1 libidn2 security update (by )

Mon, 12 Jan 2026 14:22:25 +0100

Package : libidn2

Version : 2.0.5-1+deb10u2 (buster)

Related CVEs : CVE-2019-12290

It was found that libidn2, a library for internationalized domain names (IDNA2008/TR46), was vulnerable to a domain impersonation attack, where especially crafted domain names could impersonate other domains.

ELA-1608-1 u-boot security update (by )

Mon, 05 Jan 2026 21:24:56 +0530

Package : u-boot

Version : 2016.11+dfsg1-4+deb9u2 (stretch)

Related CVEs : CVE-2025-24857

It was found that improper access control for volatile memory containing boot code in Universal Boot Loader (U-Boot) before 2017.11 and Qualcomm chips IPQ4019, IPQ5018, IPQ5322, IPQ6018, IPQ8064, IPQ8074, and IPQ9574 could allow an attacker to execute arbitrary code.

ELA-1607-1 gimp security update (by )

Mon, 05 Jan 2026 12:00:07 +0100

Package : gimp

Version : 2.8.18-1+deb9u7 (stretch)

Related CVEs : CVE-2007-3126 CVE-2025-14422

Multiple file parsing problems where identified in GIMP, the GNU Image Manipulation Program, that could lead to crashes or even arbitrary code execution when opening malicious files.

CVE-2007-3126: Gimp before 2.8.22 allows context-dependent attackers to cause a denial of service (crash) via an ICO file with an InfoHeader containing a Height of zero, a similar issue to CVE-2007-2237.
CVE-2025-14422: GIMP PNM File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PNM files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28273.

NOTE: See ELA-1604-1 for Debian 10 (buster).

ELA-1606-1 imagemagick security update (by )

Mon, 05 Jan 2026 10:04:32 +0100

Package : imagemagick

Version : 8:6.9.7.4+dfsg-11+deb9u24 (stretch), 8:6.9.10.23+dfsg-2.1+deb10u13 (buster)

Multiple vulnerabilities were fixed in imagemagick an image manipulation software suite.

CVE-2025-65955

A vulnerability was found in ImageMagick’s Magick++ layer that
manifests when Options::fontFamily is invoked with an empty
string. Clearing a font family calls RelinquishMagickMemory on
_drawInfo->font, freeing the font string but leaving _drawInfo->font
pointing to freed memory while _drawInfo->family is set to that
(now-invalid) pointer. Any later cleanup or reuse of _drawInfo->font
re-frees or dereferences dangling memory. DestroyDrawInfo and other
setters (Options::font, Image::font) assume _drawInfo->font remains
valid, so destruction or subsequent updates trigger crashes or heap
corruption

CVE-2025-66628

The TIM (PSX TIM) image parser contains a critical integer overflow
vulnerability in its ReadTIMImage function (coders/tim.c). The code
reads width and height (16-bit values) from the file header and
calculates image_size = 2 * width * height without checking for
overflow. On 32-bit systems (or where size_t is 32-bit), this
calculation can overflow if width and height are large (e.g., 65535),
wrapping around to a small value

CVE-2025-68618

Magick's failure to limit the depth of SVG file reads caused
a DoS attack.

CVE-2025-68950

Magick's failure to limit MVG mutual references forming a loop

CVE-2025-69204

Converting a malicious MVG file to SVG caused an integer overflow.

ELA-1605-1 adminer security update (by )

Sun, 04 Jan 2026 20:31:57 +0530

Package : adminer

Version : 4.7.1-1+deb10u2 (buster)

Related CVEs : CVE-2023-45195 CVE-2023-45196

Multiple vulnerabilities were found in adminer, a web-based database administration tool.

CVE-2023-45195: Adminer is vulnerable to SSRF via database connection fields. This could allow an unauthenticated remote attacker to enumerate or access systems the attacker would not otherwise have access to.
CVE-2023-45196: Adminer allows an unauthenticated remote attacker to cause a denial of service by connecting to an attacker-controlled service that responds with HTTP redirects. The denial of service is subject to PHP configuration limits.

ELA-1604-1 gimp security update (by )

Sat, 03 Jan 2026 13:53:04 +0100

Package : gimp

Version : 2.10.8-2+deb10u6 (buster)

Related CVEs : CVE-2025-14422 CVE-2025-14425

Multiple file parsing problems where identified in GIMP, the GNU Image Manipulation Program, that could lead to crashes or even arbitrary code execution when opening malicious files.

CVE-2025-14422: GIMP PNM File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PNM files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28273.
CVE-2025-14425: GIMP JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JP2 files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28248.

NOTE: See ELA-1607-1 for Debian 9 (stretch).

ELA-1603-1 net-snmp security update (by )

Thu, 01 Jan 2026 13:53:27 +0100

Package : net-snmp

Version : 5.7.3+dfsg-1.7+deb9u6 (stretch), 5.7.3+dfsg-5+deb10u5 (buster)

Related CVEs : CVE-2025-68615

net-snmp is a SNMP application library, tools and daemon.

A specially crafted packet to an net-snmp snmptrapd daemon can cause a buffer overflow and the daemon to crash.

(SNMP ports should never be open to public networks. There is no mitigation available other than ensuring ports to snmptrapd are appropriately firewalled or by upgrading.)

How files are stored by Debusine (by Stefano Rivera)

Stefano Rivera — Wed, 31 Dec 2025 00:00:00 +0000

Debusine is a tool designed for Debian developers and Operating System developers in general. This post describes how Debusine stores and manages files.

Debusine has been designed to run a network of “workers” that can perform various “tasks” that consume and produce “artifacts”. The artifact itself is a collection of files structured into an ontology of artifact types. This generic architecture should be suited to many sorts of build & CI problems. We have implemented artifacts to support building a Debian-like distribution, but the foundations of Debusine aim to be more general than that.

For example a package build task takes a debian:source-package as input and produces some debian:binary-packages and a debian:package-build-log as output.

This generalized approach is quite different to traditional Debian APT archive implementations, which typically required having the archive contents on the filesystem. Traditionally, most Debian distribution management tasks happen within bespoke applications that cannot share much common infrastructure.

File Stores

Debusine’s files themselves are stored by the File Store layer. There can be multiple file stores configured, with different policies. Local storage is useful as the initial destination for uploads to Debusine, but it has to be backed up manually and might not scale to sufficiently large volumes of data. Remote storage such as S3 is also available. It is possible to serve a file from any store, with policies for which one to prefer for downloads and uploads.

Administrators can set policies for which file stores to use at the scope level, as well as policies for populating and draining stores of files.

Artifacts

As mentioned above, files are collected into Artifacts. They combine:

a set of files with names (including potentially parent directories)
a category, e.g. debian:source-package
key-value data in a schema specified by the category and stored as a JSON-encoded dictionary.

Within the stores, files are content-addressed: a file with a given SHA-256 digest is only stored once in any given store, and may be retrieved by that digest. When a new artifact is created, its files are uploaded to Debusine as needed. Some of the files may already be present in the Debusine instance. In that case, if the file is already part of the artifact’s workspace, then the client will not need to re-upload the file. But if not, it must be reuploaded to avoid users obtaining unauthorized access to existing file contents in another private workspace or multi-tenant scope.

Because the content-addressing makes storing duplicates cheap, it’s common to have artifacts that overlap files. For example a debian:upload will contain some of the same files as the related debian:source-package as well as the .changes file.

Looking at the debusine.debian.net instance that we run, we can see a content-addressing savings of 629 GiB across our (currently) 2 TiB file store. This is somewhat inflated by the Debian Archive import, that did not need to bother to share artifacts between suites. But it still shows reasonable real-world savings.

APT Repository Representation

Unlike a traditional Debian APT repository management tool, the source package and binary packages are not stored directly in the “pool” of an APT repository on disk on the debusine server. Instead we abstract the repository into a debian:suite collection within the Debusine database. The collection contains the artifacts that make up the APT repository.

To ensure that it can be safely represented as a valid URL structure (or files on disk) the suite collection maintains an index of the pool filenames of its artifacts.

Suite collections can combine into a debian:archive collection that shares a common file pool.

Debusine collections can keep an historical record of when things were added and removed. This, combined with the database-backed collection-driven repository representation makes it very easy to provide APT-consumable snapshot views to every point in a repository’s history.

Expiry

While a published distribution probably wants to keep the full history of all its package builds, we don’t need to retain all of the output of all QA tasks that were run. Artifacts can have an expiration delay or inherit one from their workspace. Once this delay has expired, artifacts which are not being held in any collection are eligible to be automatically cleaned up.

QA work that is done in a workspace that has automatic artifact expiry, and isn’t publishing the results to an APT suite, will safely automatically expire.

Daily Vacuum

A daily vacuum task handles all of the file periodic maintenance for file stores. It does some cleanup of working areas, a scan for unreferenced & missing files, and enforces file store policies. The policy work could be copying files for backup or moving files between stores to keep them within size limits (e.g. from a local upload store into a general cloud store).

In Conclusion

Debusine provides abstractions for low-level file storage and object collections. This allows storage to be scalable beyond a single filesystem and highly available. Using content-addressed storage minimizes data duplication within a Debusine instance.

For Debian distributions, storing the archive metadata entirely in a database made providing built-in snapshot support easy in Debusine.

ELA-1602-1 python-django security update (by )

Mon, 29 Dec 2025 12:41:48 -0800

Package : python-django

Version : 1:1.10.7-2+deb9u28 (stretch), 1:1.11.29-1+deb10u17 (buster)

Related CVEs : CVE-2025-64460

A potential denial-of-service vulnerability was discovered in Django, a popular Python-based web development framework.

An algorithmic complexity issue in the getInnerText() method in the django.core.serializers.xml_serializer class could have allowed a remote attacker to cause a potential denial-of-service, triggering CPU and memory exhaustion via a specially crafted XML input submitted to a service that invokes the XML Deserializer. The vulnerability resulted from repeated string concatenation while recursively collecting text nodes which produced superlinear-style computation.

ELA-1601-1 python-urllib3 security update (by )

Fri, 26 Dec 2025 13:46:01 +0100

Package : python-urllib3

Version : 1.19.1-1+deb9u4 (stretch), 1.24.1-1+deb10u4 (buster)

Related CVEs : CVE-2025-50181 CVE-2025-66418

CVE-2025-50181: Redirects were not disabled when retries are disabled on PoolManager instantiation. An application attempting to mitigate server-side request forgery (SSRF) or open redirect vulnerabilities by disabling redirects at the PoolManager level remained vulnerable.
CVE-2025-66418: The number of links in the decompression chain was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps which could lead to denial of service.

ELA-1600-1 gst-plugins-base1.0 security update (by )

Fri, 26 Dec 2025 12:14:39 +0530

Package : gst-plugins-base1.0

Version : 1.10.4-1+deb9u6 (stretch), 1.14.4-2+deb10u5 (buster)

Multiple vulnerabilities were found in the plugins for the GStreamer media framework leading to a crash.

CVE-2025-47806

In GStreamer, the subparse plugin's parse_subrip_time function
may write data past the bounds of a stack buffer, leading to
a crash.

CVE-2025-47807

In GStreamer, the subparse plugin's subrip_unescape_formatting
function may dereference a NULL pointer while parsing a subtitle
file, leading to a crash.

CVE-2025-47808

In GStreamer, the subparse plugin's tmplayer_parse_line function may
dereference a NULL pointer while parsing a subtitle file, leading to
a crash.

ELA-1599-1 usbmuxd security update (by )

Mon, 22 Dec 2025 03:21:41 +0530

Package : usbmuxd

Version : 1.1.0-2+deb9u1 (stretch), 1.1.1~git20181007.f838cf6-1+deb10u1 (buster)

Related CVEs : CVE-2025-66004

It was discovered that usbmuxd, USB multiplexor daemon for iPhone and iPod Touch devices, incorrectly handled certain paths received with the SavePairRecord command. A local attacker could possibly use this issue to delete and write files named *.plist in arbitrary locations.

ELA-1598-1 roundcube security update (by )

Fri, 19 Dec 2025 21:38:39 +0100

Package : roundcube

Version : 1.3.17+dfsg.1-1~deb10u9 (buster)

Related CVEs : CVE-2025-68460 CVE-2025-68461

CVE-2025-68460: Information disclosure vulnerability in the HTML style sanitizer.
CVE-2025-68461: Cross-Site-Scripting (XSS) vulnerability via SVG’s <animate> tag, which could allow a remote attacker to load arbitrary JavaScript code and might lead to privilege escalation or information disclosure via malicious SVG document.

ELA-1597-1 glib2.0 security update (by )

Thu, 18 Dec 2025 14:34:09 +0100

Package : glib2.0

Version : 2.50.3-2+deb9u8 (stretch), 2.58.3-2+deb10u9 (buster)

Debusine repositories now in beta (by Colin Watson)

Colin Watson — Tue, 16 Dec 2025 00:00:00 +0000

We’re happy to announce that Debusine can now be used to maintain APT-compatible add-on package repositories for Debian. This facility is available in public beta to Debian developers and maintainers.

Why?

Debian developers typically put most of their effort towards maintaining the main Debian archive. However, it’s often useful to have other places to work, for various reasons:

Developers working on a set of packages might need to check that changes to several of them all work properly together on a real system.
Somebody fixing a bug might need to ask affected users to test the fix before uploading it to Debian.
Some projects are difficult to package in a way that meets Debian policy, or are too niche to include in Debian, but it’s still useful to distribute them in a packaged form.
For some packages, it’s useful to provide multiple upstream versions for multiple Debian releases, even though Debian itself would normally want to keep that to a minimum.

The Ubuntu ecosystem has had PPAs for a long time to meet these sorts of needs, but people working directly on Debian have had to make do with putting things together themselves using something like reprepro or aptly. Discussions about this have been happening for long enough that people started referring to PPAs for Debian as “bikesheds”, and users often find themselves trying to use Ubuntu PPAs on Debian systems and hoping that dependencies will be compatible enough for things to more or less work. This clearly isn’t ideal, and solving it is one of Freexian’s objectives for Debusine.

Developers publishing packages to Debusine repositories can take advantage of all Debusine’s existing facilities, including a battery of QA tests and regression tracking (coming soon). Repositories are signed using per-repository keys held in Debusine’s signing service, and uploads to repositories are built against the current contents of that repository as well as the corresponding base Debian release. All repositories include automatic built-in snapshot capabilities.

Who can use this service?

We’ve set up debusine.debian.net to allow using repositories. All Debian Developers and Debian Maintainers can log in there and publish packages to it. The resulting repositories are public by default.

debusine.debian.net only allows packages with licences that allow distribution by Debian, and it is intended primarily for work that could reasonably end up in Debian; Freexian reserves the right to remove repositories from it.

How can I use it?

If you are a Debian contributor, we’d be very excited to have you try this out, especially if you give us feedback. We have published instructions for developers on using this. Since this is a beta service, you can expect things to change, but we’ll maintain compatibility where we can.

If you’re interested in using this in a commercial setting, please contact Freexian to discuss what we can do for you.

Monthly report about Debian Long Term Support, November 2025 (by Santiago Ruano Rincón)

Santiago Ruano Rincón — Tue, 16 Dec 2025 00:00:00 +0000

The Debian LTS Team, funded by [Freexian’s Debian LTS offering] (https://www.freexian.com/lts/debian/), is pleased to report its activities for November.

Activity summary

During the month of November, 18 contributors have been paid to work on Debian LTS (links to individual contributor reports are located below).

The team released 33 DLAs fixing 219 CVEs.

The LTS Team kept going with the usual cadence of preparing security updates for Debian 11 “bullseye”, but also for Debian 12 “bookworm”, Debian 13 “trixie” and even Debian unstable. As in previous months, we are pleased to say that there have been multiple contributions of LTS uploads by Debian Fellows outside the regular LTS Team.

Notable security updates:

Guilhem Moulin prepared DLA 4365-1 for unbound, a caching DNS resolver, fixing a cache poisoning vulnerability that could lead to domain hijacking.
Another update related to DNS software was made by Andreas Henriksson. Andreas completed the work on bind9, released as DLA 4364-1 to fix cache poisoning and Denial of Service (DoS) vulnerabilities.
Chris Lamb released DLA 4374-1 to fix a potential arbitrary code execution vulnerability in pdfminer, a tool for extracting information from PDF documents.
Ben Hutchings published a regular security update for the linux 6.1 bullseye backport, as DLA 4379-1.
A couple of other important recurrent updates were prepared by Emilio Pozuelo, who handled firefox-esr and thunderbird (in collaboration with Christoph Goehre), published as DLAs DLA 4370-1 and DLA 4372-1, respectively.

Contributions from fellows outside the LTS Team:

Thomas Goirand uploaded a bullseye update for keystone and swift
Jeremy Bícha prepared the bullseye update for gst-plugins-base1.0
As mentioned above, Christoph Goehre prepared the bullseye update for thunderbird.
Mathias Behrle provided feedback about the tryton-server and tryton-sao vulnerabilities that were disclosed last month, and helped to review the bullseye patches for tryton-server.

Other than the regular LTS updates for bullseye, the LTS Team has also contributed updates to the latest Debian releases:

Bastien Roucariès prepared a bookworm update for squid, the web proxy cache server.
Carlos Henrique Lima Melara filed a bookworm point update request for gdk-pixbuf to fix CVE-2025-7345, a heap buffer overflow vulnerability that could lead to arbitrary code execution.
Daniel Leidert prepared bookworm and trixie updates for r-cran-gh to fix CVE-2025-54956, an issue that may expose user credentials in HTTP responses.
Along with the bullseye updates for unbound mentioned above, Guilhem helped to prepare the trixie update for unbound.
In collaboration with Lukas Märdian, Tobias Frost prepared trixie and bookworm updates for log4cxx, the C++ port of the logging framework for JAVA.
Jochen Sprickerhof prepared a bookworm update for syslog-ng.
Utkarsh completed the bookworm update for wordpress, addressing multiple security issues in the popular blogging tool.

Beyond security updates, there has been a significant effort in revamping our documentation, aiming to make the processes more clear and consistent for all the members of the team. This work was mainly carried out by Sylvain, Jochen and Roberto.

We would like to express our gratitude to the sponsors for making the Debian LTS project possible. Also, special thanks to the fellows outside the LTS team for their valuable help.

Individual Debian LTS contributor reports

Thanks to our sponsors

Sponsors that joined recently are in bold.

Platinum sponsors:
- Toshiba Corporation (for 122 months)
- Civil Infrastructure Platform (CIP) (for 90 months)
- VyOS Inc (for 54 months)
Gold sponsors:
- F. Hoffmann-La Roche AG (for 132 months)
- CONET Deutschland GmbH (for 116 months)
- Plat’Home (for 115 months)
- University of Oxford (for 72 months)
- Deveryware (for 60 months)
- EDF SA (for 44 months)
- Dataport AöR (for 19 months)
- CERN (for 17 months)
Silver sponsors:
- Domeneshop AS (for 137 months)
- Nantes Métropole (for 131 months)
- Akamai - Linode (for 127 months)
- Univention GmbH (for 123 months)
- Université Jean Monnet de St Etienne (for 123 months)
- Ribbon Communications, Inc. (for 117 months)
- Exonet B.V. (for 107 months)
- Leibniz Rechenzentrum (for 101 months)
- Ministère de l’Europe et des Affaires Étrangères (for 85 months)
- Cloudways by DigitalOcean (for 74 months)
- Dinahosting SL (for 72 months)
- Upsun Formerly Platform.sh (for 66 months)
- Moxa Inc. (for 60 months)
- sipgate GmbH (for 58 months)
- OVH US LLC (for 56 months)
- Tilburg University (for 56 months)
- GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 47 months)
- THINline s.r.o. (for 20 months)
- Copenhagen Airports A/S (for 14 months)
- Conseil Départemental de l’Isère
Bronze sponsors:
- Seznam.cz, a.s. (for 138 months)
- Evolix (for 137 months)
- Intevation GmbH (for 134 months)
- Linuxhotel GmbH (for 134 months)
- Daevel SARL (for 133 months)
- Megaspace Internet Services GmbH (for 132 months)
- Greenbone AG (for 131 months)
- NUMLOG (for 131 months)
- WinGo AG (for 130 months)
- Entr’ouvert (for 122 months)
- Adfinis AG (for 119 months)
- Laboratoire LEGI - UMR 5519 / CNRS (for 114 months)
- Tesorion (for 114 months)
- Bearstech (for 105 months)
- LiHAS (for 105 months)
- Catalyst IT Ltd (for 100 months)
- Demarcq SAS (for 94 months)
- Université Grenoble Alpes (for 80 months)
- TouchWeb SAS (for 72 months)
- SPiN AG (for 69 months)
- CoreFiling (for 65 months)
- Institut des sciences cognitives Marc Jeannerod (for 60 months)
- Observatoire des Sciences de l’Univers de Grenoble (for 56 months)
- Tem Innovations GmbH (for 51 months)
- WordFinder.pro (for 51 months)
- CNRS DT INSU Résif (for 49 months)
- Soliton Systems K.K. (for 45 months)
- Alter Way (for 42 months)
- Institut Camille Jordan (for 32 months)
- SOBIS Software GmbH (for 17 months)
- Tuxera Inc. (for 8 months)
- OPM-OP AS

ELA-1596-1 python-apt security update (by )

Tue, 16 Dec 2025 01:26:01 +0530

Package : python-apt

Version : 1.4.4 (stretch), 1.8.4.4 (buster)

Related CVEs : CVE-2025-6966

Julian Andres Klode discovered that python-apt, a Python interface to libapt-pkg, incorrectly handled deb822 configuration files. An attacker could use this issue to cause python-apt to crash, resulting in a denial of service.

ELA-1595-1 linux-5.10 security update (by )

Sat, 13 Dec 2025 08:58:04 +0100

Package : linux-5.10

Version : 5.10.247-1~deb9u1 (stretch), 5.10.247-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

This version additionally includes many more bug fixes from stable updates 5.10.245-5.10.247. The broken pktcdvd driver has also been disabled.

ELA-1594-1 tzdata new timezone database (by )

Fri, 12 Dec 2025 10:46:53 +0100

Package : tzdata

Version : 2025b-0+deb9u2 (stretch), 2025b-0+deb10u2 (buster)

This update includes the latest changes to the leap second list, including an update to its expiry date, which was set for the end of December.

Debian Contributions: Updates about DebConf Video Team Sprint, rebootstrap, SBOM tooling in Debian and more! (by Anupa Ann Joseph)

Anupa Ann Joseph — Fri, 12 Dec 2025 00:00:00 +0000

Debian Contributions: 2025-11

DebConf Video Team Sprint

The DebConf Video Team records, streams, and publishes talks from DebConf and many miniDebConfs. A lot of the infrastructure development happens during setup for these events, but we also try to organize a sprint once a year to work on infrastructure, when there isn’t a DebConf about to happen. Stefano attended the sprint in Herefordshire this year and wrote up a report.

rebootstrap, by Helmut Grohne

A number of jobs were stuck in architecture-specific failures. gcc-15 and dpkg still disagree about whether PIE is enabled occasionally and big endian mipsen needed fixes in systemd. Beyond this regular uploads of libxml2 and gcc-15 required fixes and rebasing of pending patches.

Earlier, Loongson used rebootstrap to create the initial package set for loong64 and Miao Wang now submitted their changes. Therefore, there is now initial support for suites other than unstable and use with derivatives.

Building the support for Software Bill Of Materials tooling in Debian, by Santiago Ruano Rincón

Vendors of Debian-based products may/should be paying attention to the evolution of different jurisdictions (such as the CRA or updates on CISA’s Minimum Elements for a Software Bill of Materials) that require to make available Software Bill of Materials (SBOM) of their products. It is important then to have tools in Debian to make it easier to produce such SBOMs.

In this context, Santiago continued the work on packaging libraries related to SBOMs. This includes the packaging of the SPDX python library (python-spdx-tools), and its dependencies rdflib and mkdocs-include-markdown-plugin. System Package Data Exchange (SPDX), defined by ISO/IEC 5962:2021, is an open standard capable of representing systems with software components as SBOMs and other data and security references. SPDX and CycloneDX (whose python library python3-cyclonedx-lib was packaged by prior efforts this year), encompass the two main SBOM standards available today.

Miscellaneous contributions

Carles improved po-debconf-manager: added checking status of bug reports automatically via python-debianbts; changed some command line options naming or output based on user feedback; finished refactoring user interaction to rich; codebase is now flake8-compliant; added type safety with mypy.
Carles, using po-debconf-manager, created 19 bug reports for translations where the merge requests were pending; reviewed and created merge requests for 4 packages.
Carles planned a second version of the tool that detects packages that Recommends or Suggests packages which are not in Debian. He is taking ideas from dumat.
Carles submitted a pull request to python-unidiff2 (adapted from the original pull request to python-unidiff). He also started preparing a qnetload update.
Stefano did miscellaneous python package updates: mkdocs-macros-plugin, python-confuse, python-pip, python-mitogen.
Stefano reviewed a beets upload for a new maintainer who is taking it over.
Stefano handled some debian.net infrastructure requests.
Stefano updated debian.social infrastructure for the “trixie” point release.
The update broke jitsi.debian.social, Stefano put some time into debugging it and eventually enlisted upstream assistance, who solved the problem!
Stefano worked on some patches for Python that help Debian:
- GH-139914: The main HP PA-RISC support patch for 3.14.
- GH-141930: We observed an unhelpful error when failing to write a .pyc file during package installation. We may have fixed the problem, and at least made the error better.
- GH-141011: Ignore missing ifunc support on HP PA-RISC.
Stefano spun up a website for hamburg2026.mini.debconf.org.
Raphaël reviewed a merge request updating tracker.debian.org to rely on bootstrap
version 5.
Emilio coordinated various transitions.
Helmut sent patches for 26 cross build failures.
Helmut officially handed over the cleanup of the /usr-move transition.
Helmut monitored the transition moving libcrypt-dev out of build-essential and bumped the remaining bugs to rc-severity in coordination with the release team.
Helmut updated the Build-Profiles patch for debian-policy incorporating feedback from Sean Whitton with a lot of help from Nattie Mayer-Hutchings and Freexian colleagues.
Helmut discovered that the way mmdebstrap deals with start-stop-daemon may result in broken output and sent a patch.
As a result of armel being removed from “sid”, but not from “forky”, the multiarch hinter broke. Helmut fixed it.
Helmut uploaded debvm accepting a patch from Luca Boccassi to fix it for newer
systemd.
Colin began preparing for the second stage of the OpenSSH GSS-API key exchange package split.
Colin caught and fixed a devscripts regression due to it breaking part of Debusine.
Colin packaged django-pgtransaction and backported it to “trixie”, since it looks useful for Debusine.
Thorsten uploaded the packages lprng, cpdb-backend-cups, cpdb-libs and ippsample to fix some RC bugs as well as other bugs that accumulated over time. He also uploaded cups-filters to all Debian releases to fix three CVEs.

ELA-1593-1 libsoup2.4 security update (by )

Thu, 11 Dec 2025 14:54:07 +0100

Package : libsoup2.4

Version : 2.56.0-2+deb9u5 (stretch), 2.64.2-2+deb10u3 (buster)

Several vulnerabilities have been found in libsoup2.4.

libsoup is an HTTP client/server library for GNOME. It uses GObjects and the glib main loop, to integrate well with GNOME applications.

CVE-2025-4945: integer overflow in cookie parsing.

A flaw was found in the cookie parsing logic of the libsoup HTTP
library, used in GNOME applications and other software. The
vulnerability arises when processing the expiration date of cookies,
where a specially crafted value can trigger an integer overflow. This
may result in undefined behavior, allowing an attacker to bypass cookie
expiration logic, causing persistent or unintended cookie behavior. The
issue stems from improper validation of large integer inputs during date
arithmetic operations within the cookie parsing routines.

CVE-2025-4476: crash in soup_auth_digest_get_protection_space.

A denial-of-service vulnerability has been identified in the libsoup
HTTP client library. This flaw can be triggered when a libsoup client
receives a 401 (Unauthorized) HTTP response containing a specifically
crafted domain parameter within the WWW-Authenticate header. Processing
this malformed header can lead to a crash of the client application
using libsoup. An attacker could exploit this by setting up a malicious
HTTP server. If a user's application using the vulnerable libsoup
library connects to this malicious server, it could result in a
denial-of-service. Successful exploitation requires tricking a user's
client application into connecting to the attacker's malicious server.

CVE-2025-4948: verify boundary limits for multipart body.

A flaw was found in the soup_multipart_new_from_message() function of
the libsoup HTTP library, which is commonly used by GNOME and other
applications to handle web communications. The issue occurs when the
library processes specially crafted multipart messages. Due to improper
validation, an internal calculation can go wrong, leading to an integer
underflow. This can cause the program to access invalid memory and
crash. As a result, any application or server using libsoup could be
forced to exit unexpectedly, creating a denial-of-service (DoS) risk.

CVE-2025-4969: verify array bounds before accessing.

A vulnerability was found in the libsoup package. This flaw stems from
its failure to correctly verify the termination of multipart HTTP
messages. This can allow a remote attacker to send a specially crafted
multipart HTTP body, causing the libsoup-consuming server to read beyond
its allocated memory boundaries (out-of-bounds read).

ELA-1592-1 libssh security update (by )

Wed, 10 Dec 2025 15:45:53 +0100

Package : libssh

Version : 0.7.3-2+deb9u5 (stretch)

Several vulnerabilities have been found in libssh, a tiny C SSH library.

CVE-2023-6004

Vinci found a command injection issue in the ProxyCommand and ProxyJump
features.

CVE-2025-4877

Ronald Crane found that bin_to_base64() could experience an integer
overflow and subsequent under allocation, leading to an out of
bounds write on 32-bit builds.

CVE-2025-4878

Ronald Crane found that privatekey_from_file() used an uninitialized
variable under certain conditions, which could lead to signing
failure, use-after-free or memory corruption.

CVE-2025-5318

Ronald Crane found that sftp_handle() had an incorrect check, which
could lead to an out of bounds read.

CVE-2025-8114

Philippe Antoine found a null pointer dereference issue when libssh
calculates the session id for the key exchange (KEX) process and an
error happens when allocating memory using cryptographic functions,
leading to a crash.

CVE-2025-8277

Francesco Rollo a memory leak during the KEX process when a client
sets the `first_kex_packet_follows` flag in the KEXINIT message and
repeatedly makes incorrect KEX guesses.

ELA-1591-1 libssh security update (by )

Wed, 10 Dec 2025 15:42:47 +0100

Package : libssh

Version : 0.8.7-1+deb10u4 (buster)

Several vulnerabilities have been found in libssh, a tiny C SSH library.

CVE-2025-4877

Ronald Crane found that bin_to_base64() could experience an integer
overflow and subsequent under allocation, leading to an out of
bounds write on 32-bit builds.

CVE-2025-4878

Ronald Crane found that privatekey_from_file() used an uninitialized
variable under certain conditions, which could lead to signing
failure, use-after-free or memory corruption.

CVE-2025-5318

Ronald Crane found that sftp_handle() had an incorrect check, which
could lead to an out of bounds read.

CVE-2025-8114

Philippe Antoine found a null pointer dereference issue when libssh
calculates the session id for the key exchange (KEX) process and an
error happens when allocating memory using cryptographic functions,
leading to a crash.

CVE-2025-8277

Francesco Rollo a memory leak during the KEX process when a client
sets the `first_kex_packet_follows` flag in the KEXINIT message and
repeatedly makes incorrect KEX guesses.

ELA-1590-1 lasso security update (by )

Mon, 08 Dec 2025 11:46:18 +0100

Package : lasso

Version : 2.5.0-5+deb9u2 (stretch), 2.6.0-2+deb10u2 (buster)

Keane O’Kelley discovered several vulnerabilities in lasso, a library implementing Liberty Alliance and SAML protocols, which could result in denial of service or the execution of arbitrary code.

Debian's /usr-move transition has been completed (by Helmut Grohne)

Helmut Grohne — Mon, 08 Dec 2025 00:00:00 +0000

By now, the /usr-merge is an old transition. Effectively, it turns top-level directories such as /bin into symbolic links pointing below /usr. That way the entire operating system can be contained below the /usr hierarchy enabling e.g. image based update mechanisms. It was first supported in Debian 9, which is no longer in active use at this point (except for users of Freexian’s ELTS offer). When it became mandatory in Debian 12, it wasn’t really done though, because Debian’s package manager was not prepared to handle file system objects being referred to via two different paths. With nobody interested in handling the resulting issues, Freexian stepped in and funded a project lead by Helmut Grohne to resolve the remaining issues.

While the initial idea was to enhance the package manager, Debian’s members disagreed. They preferred an approach where files were simply tracked with their physical location while handling the resulting misbehavior of the package manager using package-specific workarounds. This has been recorded in the DEP17 document. During the Debian 13 release cycle, the plan has been implemented. A tool for detecting possible problems was developed specifically for this transition. Since all files are now tracked with their physical location and necessary workarounds have been added, problematic behavior is no longer triggered. An upgrade from Debian 12 to Debian 13 is unlikely to run into aliasing problems as a result.

This whole project probably consumed more than 1500 hours of work from Debian contributors, of which 700 were sponsored by Freexian through the work of Helmut Grohne. What remains is eventually removing the workarounds.

ELA-1589-1 libpng1.6 security update (by )

Sun, 07 Dec 2025 09:04:13 +0100

Package : libpng1.6

Version : 1.6.28-1+deb9u2 (stretch), 1.6.36-6+deb10u1 (buster)

Multiple vulnerabilties have been found in libpng, the official PNG reference library, allowing information disclosure via out-of-bounds read, denial of service via application crash, or heap corruption with potential for arbitrary code execution.

CVE-2025-64505

Heap buffer over-read in png_do_quantize via malformed palette index.

CVE-2025-64506

Heap buffer over-read in png_write_image_8bit

CVE-2025-64720

Buffer overflow in png_image_read_composite via incorrect palette
premultiplication

CVE-2025-65018

Heap buffer overflow in png_combine_row triggered via png_image_finish_read

CVE-2025-66293

An out-of-bounds read vulnerability in libpng's simplified API allows
reading up to 1012 bytes beyond the png_sRGB_base[512] array when
processing palette PNG images with partial transparency and gamma correction

ELA-1588-1 libhtp security update (by )

Thu, 04 Dec 2025 13:28:35 -0300

Package : libhtp

Version : 1:0.5.30-1+deb10u1 (buster)

Related CVEs : CVE-2024-23837 CVE-2024-45797

Multiple cases of denial of service due to excessive CPU time and memory utilization have been fixed in LibHTP, a parser for the HTTP protocol mainly used by the network analysis and threat detection software Suricata.

ELA-1587-1 libapache2-mod-auth-openidc security update (by )

Wed, 03 Dec 2025 12:51:01 +0100

Package : libapache2-mod-auth-openidc

Version : 2.3.10.2-1+deb10u5 (buster)

Related CVEs : CVE-2025-3891

A vulnerability has been fixed in mod_auth_openidc, an OpenID Certified authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality.

An unauthenticated attacker can crash the Apache httpd process by sending a POST request without a Content-Type header when OIDCPreservePost is enabled in mod_auth_openidc. This leads to denial of service.

A workaround is to disable the OIDCPreservePost directive.

ELA-1568-2 unbound1.9 security update (by )

Mon, 01 Dec 2025 00:24:29 +0100

Package : unbound1.9

Version : 1.9.0-2+deb10u2~deb9u8 (stretch)

Related CVEs : CVE-2025-11411

Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan discovered that the initial fix for CVE-2025-11411 as applied in ELA 1568-1 did not fully fix the vulnerability. Updated packages correcting this issue are now available.

Additionally, this update includes a fix for potential amplification DDoS attacks due to improperly following cleared RD flags.

ELA-1567-2 unbound security update (by )

Mon, 01 Dec 2025 00:23:18 +0100

Package : unbound

Version : 1.9.0-2+deb10u8 (buster)

Related CVEs : CVE-2025-11411

Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan discovered that the initial fix for CVE-2025-11411 as applied in ELA 1567-1 did not fully fix the vulnerability. Updated packages correcting this issue are now available.

Additionally, this update includes a fix for potential amplification DDoS attacks due to improperly following cleared RD flags.

ELA-1586-1 cups-filters security update (by )

Sun, 30 Nov 2025 18:41:49 +0100

Package : cups-filters

Version : 1.11.6-3+deb9u4 (stretch), 1.21.6-5+deb10u3 (buster)

Several issues have been found in cups-filters, which provides additional CUPS filters.

CVE-2025-64503 out of bounds write vulnerability when processing crafted PDF files containing a large ‘Mediabox’ value
CVE-2025-57812 out of bounds read/write vulnerability in the processing of TIFF image files
CVE-2025-64524 infinite loop with crafted input raster file, that resuls into a heap buffer overflow

ELA-1585-1 qtbase-opensource-src security update (by )

Sat, 29 Nov 2025 10:41:24 +0100

Package : qtbase-opensource-src

Version : 5.7.1+dfsg-3+deb9u6 (stretch)

Related CVEs : CVE-2015-9541

An exponential XML entity expansion was discovered in Qt, a cross-platform C++ application framework. A crafted SVG document was mishandled in QXmlStreamReader and would cause a denial of service, a related issue to CVE 2003-1564 (“billion laughs attack”).

ELA-1584-1 qtbase-opensource-src security update (by )

Sat, 29 Nov 2025 10:41:13 +0100

Package : qtbase-opensource-src

Version : 5.11.3+dfsg1-1+deb10u8 (buster)

Related CVEs : CVE-2024-39936

A race condition was discovered in Qt, a cross-platform C++ application framework. Code to make security-relevant decisions about an established HTTP2 connection may execute too early, because the encrypted() signal has not yet been emitted and processed.

Monthly report about Debian Long Term Support, October 2025 (by Roberto C. Sánchez)

Roberto C. Sánchez — Sat, 29 Nov 2025 00:00:00 +0000

The Debian LTS Team, funded by Freexian’s Debian LTS offering, is pleased to report its activities for October.

Activity summary

During the month of October, 21 contributors have been paid to work on Debian LTS (links to individual contributor reports are located below).

The team released 37 DLAs fixing 893 CVEs.

The team has continued in its usual rhythm, preparing and uploading security updates targeting LTS and ELTS, as well as helping with updates to oldstable, stable, testing, and unstable. Additionally, the team received several contributions of LTS uploads from Debian Developers outside the standing LTS Team.

Notable security updates:

https-everywhere, prepared by Markus Koschany, deals with a problem created by ownership of the https-rulesets.org domain passing to a malware operator
openjdk-17 and openjdk-11, prepared by Emilio Pozuelo Monfort, fixes XML external entity and certificate validation vulnerabilities
intel-microcode, prepared by Tobias Frost, fixes a variety of privilege escalation and denial of service vulnerabilities

Notable non-security updates:

distro-info-data, prepared by Stefano Rivera, updates information concerning current and upcoming Debian and Ubuntu releases

Contributions from outside the LTS Team:

Lukas Märdian, a Debian Developer, provided an update of log4cxx
Andrew Ruthven, one of the request-tracker4 maintainers, provided an update of request-tracker4
Christoph Goehre, co-maintainer of thunderbird, provided an update of thunderbird

Beyond the typical LTS updates, the team also helped the Debian community more broadly:

Guilhem Moulin prepared oldstable/stable updates of libxml2, and an unstable update of libxml2.9
Bastien Roucariès prepared oldstable/stable updates of imagemagick
Daniel Leidert prepared an oldstable update of python-authlib, oldstable update of libcommons-lang-java and stable update of libcommons-lang3-java
Utkarsh Gupta prepared oldstable/stable/testing/unstable updates of ruby-rack

The LTS Team is grateful for the opportunity to contribute to making LTS a high quality for sponsors and users. We are also particularly grateful for the collaboration from others outside the time; their contributions are important to the success of the LTS effort.

Individual Debian LTS contributor reports

Thanks to our sponsors

Sponsors that joined recently are in bold.

Platinum sponsors:
- Toshiba Corporation (for 121 months)
- Civil Infrastructure Platform (CIP) (for 89 months)
- VyOS Inc (for 54 months)
Gold sponsors:
- F. Hoffmann-La Roche AG (for 132 months)
- Babiel GmbH (for 115 months)
- Plat’Home (for 115 months)
- University of Oxford (for 72 months)
- Deveryware (for 59 months)
- EDF SA (for 43 months)
- Dataport AöR (for 19 months)
- CERN (for 16 months)
Silver sponsors:
- Domeneshop AS (for 136 months)
- Nantes Métropole (for 130 months)
- Akamai - Linode (for 126 months)
- Univention GmbH (for 122 months)
- Université Jean Monnet de St Etienne (for 122 months)
- Ribbon Communications, Inc. (for 116 months)
- Exonet B.V. (for 106 months)
- Leibniz Rechenzentrum (for 100 months)
- Ministère de l’Europe et des Affaires Étrangères (for 84 months)
- Cloudways by DigitalOcean (for 73 months)
- Dinahosting SL (for 71 months)
- Upsun Formerly Platform.sh (for 66 months)
- Moxa Inc. (for 60 months)
- sipgate GmbH (for 57 months)
- OVH US LLC (for 55 months)
- Tilburg University (for 55 months)
- GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 47 months)
- THINline s.r.o. (for 20 months)
- Copenhagen Airports A/S (for 13 months)
Bronze sponsors:
- Evolix (for 137 months)
- Seznam.cz, a.s. (for 137 months)
- Linuxhotel GmbH (for 134 months)
- Intevation GmbH (for 133 months)
- Daevel SARL (for 132 months)
- Megaspace Internet Services GmbH (for 131 months)
- Greenbone AG (for 130 months)
- NUMLOG (for 130 months)
- WinGo AG (for 130 months)
- Entr’ouvert (for 121 months)
- Adfinis AG (for 119 months)
- Laboratoire LEGI - UMR 5519 / CNRS (for 113 months)
- Tesorion (for 113 months)
- Bearstech (for 105 months)
- LiHAS (for 105 months)
- Catalyst IT Ltd (for 99 months)
- Demarcq SAS (for 93 months)
- Université Grenoble Alpes (for 80 months)
- TouchWeb SAS (for 72 months)
- SPiN AG (for 68 months)
- CoreFiling (for 64 months)
- Institut des sciences cognitives Marc Jeannerod (for 59 months)
- Observatoire des Sciences de l’Univers de Grenoble (for 56 months)
- Tem Innovations GmbH (for 51 months)
- WordFinder.pro (for 50 months)
- CNRS DT INSU Résif (for 49 months)
- Soliton Systems K.K. (for 44 months)
- Alter Way (for 42 months)
- Institut Camille Jordan (for 32 months)
- SOBIS Software GmbH (for 16 months)
- Tuxera Inc. (for 8 months)

All PHP versions for all Debian/Ubuntu releases: new offers for PHP LTS (by )

Wed, 26 Nov 2025 00:00:00 +0000

With our initial PHP LTS offers we brought to life an entirely new service in the Debian ecosystem: Debian packages for multiple PHP releases and multiple Debian/Ubuntu releases, with dependable security support over an extended period of time.

With a few years of experince behind us, and lots of feedback from prospects and customers, we decided to revamp the PHP LTS offers to make them easier to understand and more balanced between the various subscription levels.

In the new offer, the contractual guarantees are mostly the same for all customers, but the price will vary based on the number of systems where PHP LTS updates are installed, and based on the number of platforms used (a platform being a specific PHP release on a specific Debian/Ubuntu release).

Existing customers will continue with the same terms until the end of their current subscription period, but will be moved to the new terms starting from their next renewal.

Have a look at the new offers!

This service is brought to you by Freexian in cooperation with Ondřej Surý.

ELA-1583-1 linux-6.1 security update (by )

Tue, 25 Nov 2025 16:00:49 +0100

Package : linux-6.1

Version : 6.1.158-1~deb9u1 (stretch), 6.1.158-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

How we implemented a dark mode in Debusine (by Enrico Zini)

Enrico Zini — Tue, 25 Nov 2025 00:00:00 +0000

Having learnt that Bootstrap supports color modes, we decided to implement an option for users to enable dark mode in Debusine.

By default, the color mode is selected depending on the user browser preferences. If explicitly selected, we use a cookie to store the theme selection so that a user can choose different color modes in different browsers.

The work is in merge request !2401 and minimizes JavaScript dependencies like we do in other parts of debusine.

A view to select the theme

First is a simple view to configure the selected theme and store it in a cookie. If auto is selected, then the cookie is deleted to delegate theme selection to JavaScript:

class ThemeSelectionView(View):
    """Select and save the current theme."""

    def post(
        self, request: HttpRequest, *args: Any, **kwargs: Any  # noqa: U100
    ) -> HttpResponse:
        """Set the selected theme."""
        value = request.POST.get("theme", "auto")
        next_url = request.POST.get("next", None)
        if next_url is None:
            next_url = reverse("homepage:homepage")
        response = HttpResponseRedirect(next_url)
        if value == "auto":
            response.delete_cookie("theme")
        else:
            response.set_cookie(
                "theme", value, httponly=False, max_age=dt.timedelta(days=3650)
            )
        return response

The main base view of Debusine reads the value from the cookie and makes it available to the templates:

      def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
          ctx = super().get_context_data(**kwargs)
          ctx["theme"] = self.request.COOKIES.get("theme", None)
          # ...
          return ctx

The base template will use this value to set data-bs-theme on the main <html> element, and that’s all that is needed to select the color mode in Bootstrap:

<html lang="en"{% if theme %} data-bs-theme="{{ theme }}"{% endif %}>

The view uses HTTP POST as it changes state, so theme selection happens in a form:

<form id="footer-theme" class="col-auto" method="post"
      action="{% url "theme-selection" %}">
    {% csrf_token %}
    <input type="hidden" name="next" value="{{ request.get_full_path }}">
    Theme:
    <button type="submit" name="theme" value="dark">dark</button>
    •
    <button type="submit" name="theme" value="light">light</button>
    •
    <button type="submit" name="theme" value="auto">auto</button>
</form>

Since we added the theme selection buttons in the footer, we use CSS to render the buttons in the same way as the rest of the footer links.

Bootstrap has a set of CSS variables that can be used to easily in sync with the site theme, and they are especially useful now that the theme is configurable:

footer button {
    background: none;
    border: none;
    margin: 0;
    padding: 0;
    color: var(--bs-link-color);
}

Theme autoselection

Bootstrap would support theme autoselection via browser preferences, but that requires rebuilding its Sass sources.

Alternatively, one can use JavaScript:

{% if not theme %}
    <script blocking="render">
    (function() {
        let theme = window.matchMedia('(prefers-color-scheme: dark)').matches ? 'dark' : 'light';
        let [html] = document.getElementsByTagName("html");
        html.setAttribute("data-bs-theme", theme);
    })();
    </script>
{% endif %}

This reads the color scheme preferences and sets the data-bs-theme attribute on <html>.

The script is provided inline as it needs to use blocking="render" to avoid flashing a light background at the beginning of page load until the attribute is set.

Given that this is a render-blocking snippet, as an extra optimization it is not added to the page if a theme has been set.

Bootstrap CSS fixes

We were making use of the bootstrap btn-light class in navbars to highlight elements on hover, and that doesn’t work well with theme selection.

Lacking a button class that does the right thing across themes, we came up with a new CSS class that uses variables to define a button with hover highlight that works preserving the underlying color:

:root[data-bs-theme=light] {
    --debusine-hover-layer: rgb(0 0 0 / 20%);
    --debusine-hover-color-multiplier: 0.8;
    --debusine-disabled-color-multiplier: 1.5;
}
:root[data-bs-theme=dark] {
    --debusine-hover-layer: rgb(255 255 255 / 20%);
    --debusine-hover-color-multiplier: 1.2;
    --debusine-disabled-color-multiplier: 0.5;
}

/* Button that preserves the underlying color scheme */
.btn-debusine {
  --bs-btn-hover-color: rgb(from var(--bs-btn-color) calc(r * var(--debusine-hover-color-multiplier)) calc(g * var(--debusine-hover-color-multiplier)) calc(b * var(--debusine-hover-color-multiplier)));
  --bs-btn-hover-bg: var(--debusine-hover-layer);
  --bs-btn-disabled-color: rgb(from var(--bs-btn-color) calc(r * var(--debusine-disabled-color-multiplier)) calc(g * var(--debusine-disabled-color-multiplier)) calc(b * var(--debusine-disabled-color-multiplier)));
  --bs-btn-disabled-bg: var(--bs-btn-bg);
  --bs-btn-disabled-border-color: var(--bs-btn-border-color);
}

Dark mode!

This was a nice integration exercise with many little tricks, like how to read color scheme preferences from the browser, render form buttons as links, use bootstrap variables, prevent a flashing background, handle cookies in Django.

And Debusine now has a dark mode!

ELA-1582-1 erlang security update (by )

Mon, 24 Nov 2025 17:48:27 +0100

Package : erlang

Version : 1:19.2.1+dfsg-2+really23.3.4.18-0+deb9u5 (stretch), 1:22.2.7+dfsg-1+deb10u4 (buster)

Multiple vulnerabilities were fixed in Erlang a concurrent, real-time, distributed functional language.

CVE-2025-4748: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2 unless the memory option is passed.
CVE-2025-48038, CVE-2025-48039, CVE-2025-48041: Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure, Flooding. These vulnerabilities are associated with program files lib/ssh/src/ssh_sftpd.erl.

ELA-1581-1 libsoup2.4 security update (by )

Wed, 19 Nov 2025 09:39:12 +0100

Package : libsoup2.4

Version : 2.56.0-2+deb9u4 (stretch), 2.64.2-2+deb10u2 (buster)

Multiple issues has been identified in libsoup2.4. This update contains fixes for a few of them that have previously been addressed in LTS and newer releases. Additional updates will come when more of the recently allocated CVE ids have been analyzed.

CVE-2025-2784: heap buffer over-read when sniffing content via the skip_insight_whitespace() function. Libsoup clients may read one byte out-of-bounds in response to a crafted HTTP response by an HTTP server.

CVE-2025-32050: libsoup append_param_quoted() function may contain an overflow bug resulting in a buffer under-read.

CVE-2025-32052: vulnerability in the sniff_unknown() function may lead to heap buffer over-read.

CVE-2025-32053: vulnerability in sniff_feed_or_html() and skip_insignificant_space() functions may lead to a heap buffer over-read.

CVE-2025-32906: soup_headers_parse_request() function may be vulnerable to an out-of-bound read. This flaw allows a malicious user to use a specially crafted HTTP request to crash the HTTP server.

CVE-2025-32909: SoupContentSniffer may be vulnerable to a NULL pointer dereference in the sniff_mp4 function. The HTTP server may cause the libsoup client to crash.

CVE-2025-32910: soup_auth_digest_authenticate() is vulnerable to a NULL pointer dereference. This issue may cause the libsoup client to crash.

CVE-2025-32911: use-after-free memory issue not on the heap in the soup_message_headers_get_content_disposition() function. This flaw allows a malicious HTTP client to cause memory corruption in the libsoup server.

CVE-2025-32913: the soup_message_headers_get_content_disposition() function is vulnerable to a NULL pointer dereference. This flaw allows a malicious HTTP peer to crash a libsoup client or server that uses this function.

CVE-2025-32914: the soup_multipart_new_from_message() function is vulnerable to an out-of-bounds read. This flaw allows a malicious HTTP client to induce the libsoup server to read out of bounds.

CVE-2025-32912: SoupAuthDigest is vulnerable to a NULL pointer dereference. The HTTP server may cause the libsoup client to crash.

Additionally for buster an updated test certificate was included that extends the expiration to year 2049.

ELA-1580-1 libssh security update (by )

Tue, 18 Nov 2025 15:51:19 +0100

Package : libssh

Version : 0.8.7-1+deb10u3 (buster)

Several vulnerabilities were discovered in libssh, a tiny C SSH library.

CVE-2020-16135

A NULL pointer dereference was found in sftpserver, which would lead
to denial of service.

CVE-2023-6004

It was reported that using the ProxyCommand or the ProxyJump feature
may allow an attacker to inject malicious code through specially
crafted hostnames.

CVE-2023-6918

Jack Weinstein reported that missing checks for return values for
digests may result in denial of service (application crashes) or
usage of uninitialized memory.

ELA-1579-1 mbedtls security update (by )

Mon, 17 Nov 2025 15:08:43 +0100

Package : mbedtls

Version : 2.16.9-0~deb10u2 (buster)

Multiple vulnerabilities have been fixed in mbedtls, a lightweight crypto and SSL/TLS library.

CVE-2025-47917

MbedTLS allows use-after-free in certain situations in the correctly developed applications.
CVE-2025-48965

The handling of val.p and val.len in mbedtls_asn1_store_named_data was inconsistent and allowed NULL pointer dereference. The fix for this issue depended on fixes for two related issues in the same piece of code, which are now also fixed.
CVE-2025-52496

A race condition in AESNI detection could occur if certain compiler optimisations were applied, making it possible to extract an AES key from a multithreaded program or perform a GCM forgery.
CVE-2025-52497

In mbedtls_pem_read_buffer and two mbedtls_pk_parse functions, one-byte heap-based buffer underflow could occur.

ELA-1578-1 squid security update (by )

Fri, 14 Nov 2025 17:49:49 +0100

Package : squid

Version : 4.13-10+deb11u6~deb10u1 (buster)

Multiple vulnerabilities were reported in Squid, a popular proxy server.

The changes required to fix all the open vulnerabilities, especially CVE-2025-62168, were too invasive to be backported individually, and the risk of regressions was too high due to large amount of source code that needed to be modified or rewritten, including the internal C++ library.

After carrying out a risk analysis, it was determined that the best available solution was to backport the version from Debian 11 “bullseye” to Debian 10. This decision means that, upon installing this update, users of Squid in Debian 10 will be moving from Squid version 4.6 to 4.13.

Please note that to remediate CVE-2025-62168, users need to review their Squid configuration and disable the insecure email_err_data setting if it was previously enabled. The CVE-2025-62168 patch disables this configuration by default, but it does not override existing insecure administrator-defined settings.

CVE-2023-5824:

The limits applied for validation of HTTP response headers are applied before caching. However, Squid may grow a cached HTTP response header beyond the configured maximum size, causing a stall or crash of the worker process when a large header is retrieved from the disk cache, resulting in a denial of service.

CVE-2023-46728:

Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service attack against Squid's Gopher gateway. The gopher protocol support was enabled by default in previous Squid versions. Responses triggering this bug can be received from any gopher server, even those without malicious intent.
Gopher support has been removed.

CVE-2025-54574:

Squid is vulnerable to a heap buffer overflow and possible remote code execution attack when processing URN due to incorrect buffer management.

CVE-2025-59362:

Squid mishandles ASN.1 encoding of long SNMP OIDs. This occurs in `asn_build_objid` in `lib/snmplib/asn1.c`.

CVE-2025-62168:

Failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a malicious actor to bypass browser security protections and learn the credentials a trusted client uses to authenticate. This potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing. These attacks do not require Squid to be configured with HTTP authentication.

ELA-1577-1 gst-plugins-good1.0 security update (by )

Thu, 13 Nov 2025 16:46:12 +0100

Package : gst-plugins-good1.0

Version : 1.10.4-1+deb9u5 (stretch)

Multiple vulnerabilities were discovered in plugins for the GStreamer media framework.

CVE-2024-47543:

An OOB-read vulnerability has been discovered
in qtdemux_parse_container function within qtdemux.c.
In the parent function qtdemux_parse_node, the value of
length is not well checked. So, if length is big enough,
it causes the pointer end to point beyond the boundaries
of buffer. Subsequently, in the qtdemux_parse_container
function, the while loop can trigger an OOB-read,
accessing memory beyond the bounds of buf.
This vulnerability can result in reading up to
4GB of process memory or potentially causing a
segmentation fault (SEGV) when accessing invalid memory

CVE-2024-47545:

An integer underflow has been detected in qtdemux_parse_trak function
within qtdemux.c. During the strf parsing case, the subtraction
size -= 40 can lead to a negative integer overflow if it is less than
40. If this happens, the subsequent call to gst_buffer_fill will
invoke memcpy with a large tocopy size, resulting in an OOB-read.

CVE-2024-47546:

An integer underflow has been detected
in extract_cc_from_data function within qtdemux.c.
In the FOURCC_c708 case, the subtraction atom_length - 8
may result in an underflow if atom_length is less than 8.
When that subtraction underflows, *cclen ends up being a
large number, and then cclen is passed to g_memdup2
leading to an out-of-bounds (OOB) read

CVE-2024-47597:

An OOB-read has been detected in the function
qtdemux_parse_samples within qtdemux.c. This issue arises
when the function qtdemux_parse_samples reads data beyond
the boundaries of the stream->stco buffer. The following code
snippet shows the call to qt_atom_parser_get_offset_unchecked,
which leads to the OOB-read when parsing the provided
GHSL-2024-245_crash1.mp4 file. This issue may lead
to read up to 8 bytes out-of-bounds.

CVE-2025-47219:

The isomp4 plugin's qtdemux_parse_trak() function may read past the end of a heap buffer while parsing an MP4 file, possibly leading to information disclosure.

Debian Contributions: Upstreaming cPython patches, ansible-core autopkgtest robustness and more! (by Anupa Ann Joseph)

Anupa Ann Joseph — Thu, 13 Nov 2025 00:00:00 +0000

Debian Contributions: 2025-10

Upstreaming cPython patches, by Stefano Rivera

Python 3.14.0 (final) released in early October, and Stefano uploaded it to Debian unstable. The transition to support 3.14 has begun in Ubuntu, but hasn’t started in Debian, yet.

While build failures in Debian’s non-release ports are typically not a concern for package maintainers, Python is fairly low in the stack. If a new minor version has never successfully been built for a Debian port by the time we start supporting it, it will quickly become a problem for the port. Python 3.14 had been failing to build on two Debian ports architectures (hppa and m68k), but thankfully their porters provided patches. These were applied and uploaded, and Stefano forwarded the hppa one upstream. Getting it into shape for upstream approval took some work, and shook out several other regressions for the Python hppa port. Debugging these on slow hardware takes a while.

These two ports aren’t successfully autobuilding 3.14 yet (they’re both timing out in tests), but they’re at least manually buildable, which unblocks the ports.

Docutils 0.22 also landed in Debian around this time, and Python needed some work to build its docs with it. The upstream isn’t quite comfortable with distros using newer docutils, so there isn’t a clear path forward for these patches, yet.

The start of the Python 3.15 cycle was also a good time to renew submission attempts on our other outstanding python patches, most importantly multiarch tuples for stable ABI extension filenames.

ansible-core autopkgtest robustness, by Colin Watson

The ansible-core package runs its integration tests via autopkgtest. For some time, we’ve seen occasional failures in the expect, pip, and template_jinja2_non_native tests that usually go away before anyone has a chance to look into them properly. Colin found that these were blocking an openssh upgrade and so decided to track them down.

It turns out that these failures happened exactly when the libpython3.13-stdlib package had different versions in testing and unstable. A setup script removed /usr/lib/python3*/EXTERNALLY-MANAGED in order that pip can install system packages for some of the tests, but if a package shipping that file were ever upgraded then that customization would be undone, and the same setup script removed apt pins in a way that caused problems when autopkgtest was invoked in certain ways. In combination with this, one of the integration tests attempted to disable system apt sources while testing the behaviour of the ansible.builtin.apt module, but it failed to do so comprehensively enough and so that integration test accidentally upgraded the testbed from testing to unstable in the middle of the test. Chaos ensued.

Colin fixed this in Debian and contributed the relevant part upstream.

Miscellaneous contributions

Carles kept working on the missing-relations (packages which Recommends or Suggests packages that are not available in Debian). He improved the tooling to detect Suggested packages that are not available in Debian because they were removed (or changed names).
Carles improved po-debconf-manager to send translations for packages that are not in Salsa. He also improved the UI of the tool (using rich for some of the output).
Carles, using po-debconf-manager, reviewed and submitted 38 debconf template translations.
Carles created a merge request for distro-tracker to align text and input-field (postponed until distro-tracker uses Bootstrap 5).
Raphaël updated gnome-shell-extension-hamster for GNOME 49. It is a GNOME Shell integration for the Hamster time tracker.
Raphaël merged a couple of trivial merge requests, but he did not yet find the time to properly review and test the bootstrap 5 related merge requests that are still waiting on salsa.
Helmut sent patches for 20 cross build failures.
Helmut refactored debvm dropping support for running on “bookworm”. There are two “trixie” features improving the operation. mkfs.ext4 can now consume a tar archive to populate the filesystem via libarchive and dash now supports set -o pipefail. Beyond this change in operation, a number of robustness and quality issues have been resolved.
Thorsten fixed some bugs in the printing software and uploaded improved versions of brlaser and ifhp. Moreover he uploaded a new upstream version of cups.
Emilio updated xorg-server to the latest security release and helped with various transitions.
Santiago worked on and reviewed different Salsa CI MR to address some regressions introduced by the move to sbuild+unshare. Those MR included stop adding the salsa-ci user in the build image to the sbuild group, fix the suffix path used by mmdebstrap to create the chroot and update the documentation about how to use aptly repos in another project.
Santiago supported the work on the DebConf 26 organisation, particularly helping with an implemented method to count the votes to choose the conference logo.
Stefano reviewed Python PEP-725 and PEP-804, which hope to provide a mechanism to declare external (e.g. APT) dependencies in Python packages. Stefano engaged in discussion and provided feedback to the authors.
Stefano prepared for Berkeley DB removal in Python.
Stefano ported the backend to reverse-depends to Python 3 (yes, it had been running on 2.7) and migrated it to git from bzr.
Stefano updated miscellaneous packages, including beautifulsoup4, mkdocs-macros-plugin, python-pipx.
Stefano applied an upstream patch to pypy3, fixing an AST Compiler Assertion error.
Stefano uploaded an update to distro-info-data, including data for two additional Debian derivatives: eLxr and Devuan.
Stefano prepared an update to dh-python, the python packaging tool, merging several contributed patches and resolving some bugs.
Colin upgraded OpenSSH to 10.1p1, helped upstream to chase down some regressions, and further upgraded to 10.2p1. This is also now in trixie-backports.
Colin fixed several build regressions with Python 3.14, scikit-learn 1.7, and other transitions.
Colin investigated a malware report against tini, making use of reproducible builds to help demonstrate that this is highly likely to be a false positive.
Anupa prepared questions and collected interview responses from women contributors in Debian to publish the post as part of Ada Lovelace day 2025.

ELA-1576-1 gst-plugins-good1.0 security update (by )

Wed, 12 Nov 2025 21:42:42 +0100

Package : gst-plugins-good1.0

Version : 1.14.4-1+deb10u5 (buster)

Related CVEs : CVE-2025-47183 CVE-2025-47219

Multiple vulnerabilities were discovered in plugins for the GStreamer media framework.

CVE-2025-47183

The isomp4 plugin's qtdemux_parse_tree() function may read past the end of a heap buffer while parsing an MP4 file, leading to information disclosure.

CVE-2025-47219

The isomp4 plugin's qtdemux_parse_trak() function may read past the end of a heap buffer while parsing an MP4 file, possibly leading to information disclosure.

ELA-1575-1 libarchive security update (by )

Tue, 11 Nov 2025 11:13:35 +0100

Package : libarchive

Version : 3.2.2-2+deb9u6 (stretch), 3.3.3-4+deb10u5 (buster)

Multiple vulnerabilties were fixed in libarchive a multi-format archive and compression library.

CVE-2025-5914

A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.

CVE-2025-5916

This flaw involves an integer overflow that can be triggered when processing a Web Archive (WARC) file that claims to have more than INT64_MAX - 4 content bytes. An attacker could craft a malicious WARC archive to induce this overflow, potentially leading to unpredictable program behavior, memory corruption, or a denial-of-service condition within applications that process such archives using libarchive.

CVE-2025-5917

This flaw involves an 'off-by-one' miscalculation when handling prefixes and suffixes for file names. This can lead to a 1-byte write overflow. While seemingly small, such an overflow can corrupt adjacent memory, leading to unpredictable program behavior, crashes, or in specific circumstances, could be leveraged as a building block for more sophisticated exploitation.

CVE-2025-5918

This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition.

ELA-1574-1 dcmtk security update (by )

Tue, 11 Nov 2025 08:35:57 +0100

Package : dcmtk

Version : 3.6.4-2.1+deb10u4 (buster)

Several vulnerabilities have been fixed in DCMTK, a collection of libraries and applications implementing large parts of the DICOM standard for medical images.

CVE-2025-9732

Processing of an invalid DICOM image with a Photometric
Interpretation of "YBR_FULL" and a Planar Configuration of "1" where
the number of pixels stored does not match the expected number of pixels.
This may lead to memory corruption.

CVE-2022-4981

Various issues in the dcmqrscp configuration file parser that could cause
application crashes when reading a malformed configuration file, due to
insufficient checks of the input data.

CVE-2020-36855

Stack-based overflow in the dcmqrscp config parser.

ELA-1573-1 gimp security update (by )

Tue, 11 Nov 2025 08:29:55 +0100

Package : gimp

Version : 2.8.18-1+deb9u6 (stretch), 2.10.8-2+deb10u5 (buster)

Related CVEs : CVE-2025-10934

GIMP, the GNU Image Manipulation Program, is vulnerable to a heap-based buffer overflow when parsing XWD files. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP and requires the target to visit a malicious page or open a malicious file.

ELA-1572-1 geographiclib security update (by )

Tue, 11 Nov 2025 08:25:22 +0100

Package : geographiclib

Version : 1.46-2+deb9u1 (stretch), 1.49-4+deb10u1 (buster)

Related CVEs : CVE-2025-60751

Geographiclib is a C++ library to solve geodesic problems. A stack buffer overflow occurs when the GeoConvert tool receives a crafted input. The overflow occurs because the program does not properly validate an internal index, allowing an out-of-bounds write on the stack. An attacker can exploit this vulnerability to hijack the program’s control flow by overwriting a return address to point to a libc function and execute arbitrary code.

ELA-1571-1 strongswan security update (by )

Tue, 11 Nov 2025 02:31:10 +0100

Package : strongswan

Version : 5.7.2-1+deb10u5 (buster)

Related CVEs : CVE-2025-62291

Xu Biang discovered a buffer overflow bug in the eap-mschapv2 plugin of strongSwan, an IKE/IPsec suite. The eap-mschapv2 plugin does not correctly check the length of an EAP-MSCHAPv2 Failure Request packet on the client, which can cause an integer underflow that leads to a crash, and a heap-based buffer overflow that’s potentially exploitable for remote code execution.

ELA-1570-1 gdk-pixbuf security update (by )

Sun, 09 Nov 2025 23:36:46 -0300

Package : gdk-pixbuf

Version : 2.36.5-2+deb9u4 (stretch), 2.38.1+dfsg-1+deb10u2 (buster)

Related CVEs : CVE-2025-7345

A vulnerability was found in gdk-pixbuf, a library used by many GTK applications to load graphical assets. When processing maliciously crafted JPEG images, a heap buffer overflow can occur during Base64 encoding.

ELA-1569-1 openjdk-8 security update (by )

Fri, 07 Nov 2025 11:01:11 +0100

Package : openjdk-8

Version : 8u472-ga-1~deb9u1 (stretch)

Related CVEs : CVE-2025-53057 CVE-2025-53066

Two vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in XML external entity injection attacks or incorrect certificate validation.

Contractual Terms (by )

Fri, 07 Nov 2025 11:07:07 +0200

Master Services Agreement

The contractual terms governing our various services are defined by the Service Order that you can find on each service’s page and the Master Services Agreement that you will find below.

Master Services Agreement, version 1.0 applicable since November 1st, 2025.

Other forms

SEPA mandate

By signing a SEPA mandate, you can simplify the payment process of the renewals of Freexian services since Freexian will initiate the wire transfer from your bank account. You get the invoice at the start of the month and your bank account is debited on the 20th.

SEPA Direct Debit Mandate

ELA-1568-1 unbound1.9 security update (by )

Thu, 06 Nov 2025 20:13:31 +0100

Package : unbound1.9

Version : 1.9.0-2+deb10u2~deb9u7 (stretch)

Related CVEs : CVE-2025-11411

Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan discovered that unbound, a validating, recursive, and caching DNS resolver, was vulnerable to cache poisoning via NS RRSet injection, which could lead to domain hijack.

Promiscuous NS RRSets that complement DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver’s knowledge of the zone’s name servers. A malicious actor who is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) can poison Unbound’s cache for the delegation point.

The fix scrubs unsolicited NS RRSets (and their respective address records) from replies, thereby mitigating the possible poison effect. The protection can be turned off by setting the new configuration option “iter-scrub-promiscuous” to “no”, see unbound.conf(5).

ELA-1567-1 unbound security update (by )

Thu, 06 Nov 2025 20:13:30 +0100

Package : unbound

Version : 1.9.0-2+deb10u7 (buster)

Related CVEs : CVE-2025-11411

ELA-1566-1 pure-ftpd security update (by )

Mon, 03 Nov 2025 19:27:42 -0300

Package : pure-ftpd

Version : 1.0.47-3+deb10u1 (buster)

Multiple vulnerabilities were discovered in pure-ftpd, a secure and efficient FTP server, that could lead to data corruption, information disclosure or program crash.

CVE-2019-20176:

Stack exhaustion in the listdir function in ls.c.

CVE-2020-9274:

Uninitialized pointer in the diraliases linked list.

CVE-2020-9365:

Out-of-bounds (OOB) read in the pure_strcmp function in utils.c.

CVE-2021-40524:

Incorrect max_filesize quota mechanism in the server allows adversaries to
upload files of unbounded size.

ELA-1565-1 git security update (by )

Fri, 31 Oct 2025 16:31:45 +0100

Package : git

Version : 1:2.11.0-3+deb9u13 (stretch), 1:2.20.1-2+deb10u11 (buster)

Multiple vulnerabilities have been discovered in git, the distributed revision control system.

CVE-2025-27613

Gitk is a Tcl/Tk based Git history browser. Starting with 1.7.0, when
a user clones an untrusted repository and runs gitk without additional
command arguments, files for which the user has write permission can be
created and truncated.

CVE-2025-46835

Git GUI allows you to use the Git source control management tools via a GUI.
When a user clones an untrusted repository and is tricked into editing a
file located in a maliciously named directory in the repository, then Git
GUI can create and overwrite files for which the user has write permission.

CVE-2025-48384

When reading a config value, Git strips any trailing carriage return and line
feed (CRLF). When writing a config entry, values with a trailing CR are not
quoted, causing the CR to be lost when the config is later read. When
initializing a submodule, if the submodule path contains a trailing CR, the
altered path is read resulting in the submodule being checked out to an
incorrect location. If a symlink exists that points the altered path to the
submodule hooks directory, and the submodule contains an executable
post-checkout hook, the script may be unintentionally executed after checkout.

ELA-1564-1 qemu security update (by )

Thu, 30 Oct 2025 15:52:21 -0300

Package : qemu

Version : 1:2.8+dfsg-6+deb9u20 (stretch)

Related CVEs : CVE-2023-3019 CVE-2024-3447

Multiple security issues were found in QEMU, a fast processor emulator, that could result in denial of service, information leak, or privilege escalation.

CVE-2023-3019

Use-after-free error in the e1000e NIC emulation.

CVE-2024-3447

Heap-based buffer overflow in SDHCI device emulation.

This update also removes the usage of the C (Credential) flag for the binfmt_misc registration within the qemu-user-static (and qemu-user-binfmt) packages, as it allowed for privilege escalation when running a suid/sgid binary under qemu-user. This means suid/sgid foreign-architecture binaries are not running with elevated privileges under qemu-user anymore. If you relied on this behavior of qemu-user in the past (running suid/sgid foreign-arch binaries), this will require changes to your deployment.

In Debian 9 “stretch”, the affected packages are qemu-user-static (and qemu-user-binfmt).

ELA-1562-1 ghostscript security update (by )

Thu, 30 Oct 2025 16:20:46 +0100

Package : ghostscript

Version : 9.26a~dfsg-0+deb9u15 (stretch), 9.27~dfsg-2+deb10u12 (buster)

Related CVEs : CVE-2025-59798 CVE-2025-59799

It was discovered that Ghostscript incorrectly handled some PDF files. An attacker could use this issue to cause Ghostscript to crash, resulting in a denial of service.

ELA-1563-1 openssl1.0 security update (by )

Thu, 30 Oct 2025 09:50:01 +0100

Package : openssl1.0

Version : 1.0.2u-1~deb9u11 (stretch)

Related CVEs : CVE-2025-9230

Stanislav Fort discovered an out of bounds read and write issue when decrypting CMS messages that were encrypted using password based encryption.

ELA-1561-1 xorg-server security update (by )

Wed, 29 Oct 2025 18:50:19 +0100

Package : xorg-server

Version : 2:1.19.2-1+deb9u23 (stretch), 2:1.20.4-1+deb10u18 (buster)

Jan-Niklas Sohn discovered several vulnerabilities in the Xorg X server, which may result in privilege escalation if the X server is running privileged.

ELA-1560-1 intel-microcode security update (by )

Wed, 29 Oct 2025 17:19:16 +0100

Package : intel-microcode

Version : 3.20250812.1~deb9u1 (stretch), 3.20250812.1~deb10u1 (buster)

This update ships updated CPU microcode for some types of Intel CPUs and provides mitigations for security vulnerabilities which could result in privilege escalation or denial of service.

CVE-2025-20053

Improper buffer restrictions for some Intel(R) Xeon(R) Processor firmware with
SGX enabled may allow a privileged user to potentially enable escalation of
privilege via local access.

CVE-2025-20109

Improper Isolation or Compartmentalization in the stream cache mechanism for
some Intel(R) Processors may allow an authenticated user to potentially enable
escalation of privilege via local access.

CVE-2025-21090

Missing reference to active allocated resource for some Intel(R) Xeon(R)
processors may allow an authenticated user to potentially enable denial of
service via local access.

CVE-2025-22839

Insufficient granularity of access control in the OOB-MSM for some Intel(R)
Xeon(R) 6 Scalable processors may allow a privileged user to potentially enable
escalation of privilege via adjacent access.

CVE-2025-22840

Sequence of processor instructions leads to unexpected behavior for some
Intel(R) Xeon(R) 6 Scalable processors may allow an authenticated user to
potentially enable escalation of privilege via local access

CVE-2025-22889

Improper handling of overlap between protected memory ranges for some Intel(R)
Xeon(R) 6 processor with Intel(R) TDX may allow a privileged user to
potentially enable escalation of privilege via local access.

CVE-2025-24305

Insufficient control flow management in the Alias Checking Trusted Module
(ACTM) firmware for some Intel(R) Xeon(R) processors may allow a privileged
user to potentially enable escalation of privilege via local access.

CVE-2025-26403

Out-of-bounds write in the memory subsystem for some Intel(R) Xeon(R) 6
processors when using Intel(R) SGX or Intel(R) TDX may allow a privileged user
to potentially enable escalation of privilege via local access.

CVE-2025-32086

Improperly implemented security check for standard in the DDRIO configuration
for some Intel(R) Xeon(R) 6 Processors when using Intel(R) SGX or Intel(R) TDX
may allow a privileged user to potentially enable escalation of privilege via
local access.

ELA-1559-1 openssl security update (by )

Wed, 29 Oct 2025 15:24:31 +0100

Package : openssl

Version : 1.1.0l-1~deb9u11 (stretch)

Related CVEs : CVE-2025-9230

Stanislav Fort discovered an out of bounds read and write issue when decrypting CMS messages that were encrypted using password based encryption.

ELA-1558-1 openssl security update (by )

Wed, 29 Oct 2025 11:58:53 +0100

Package : openssl

Version : 1.1.1n-0+deb10u8 (buster)

Related CVEs : CVE-2024-13176 CVE-2025-9230

Two vulnerabilities were found in OpenSSL, a Secure Sockets Layer toolkit:

CVE-2024-13176

A timing side-channel which could potentially allow recovering
the private key exists in the ECDSA signature computation.

CVE-2025-9230

An application trying to decrypt CMS messages encrypted using
password based encryption can trigger an out-of-bounds read and write.

ELA-1557-1 python-pip security update (by )

Wed, 29 Oct 2025 00:51:32 +0100

Package : python-pip

Version : 9.0.1-2+deb9u3 (stretch), 18.1-5+deb10u1 (buster)

Multiple vulnerabilities have been discovered in python-pip, the Python package installer.

CVE-2019-20916

Directory traversal is possible when a URL is given in an install command,
because a Content-Disposition header can have ../ in a filename.

This issue had been fixed in Stretch already via version 9.0.1-2+deb9u2 of
python-pip (DLA-2370-1).

CVE-2021-3572

A flaw exists in the way Unicode separators are handled in Git references.

CVE-2023-5752

When installing a package from a Mercurial VCS URL, arbitrary configuration
options could be injected to the "hg clone" call.

CVE-2025-8869

Pip's tar extraction doesn't check that symbolic links point to extraction
directory.

ELA-1556-1 openjdk-11 security update (by )

Sun, 26 Oct 2025 20:48:27 +0100

Package : openjdk-11

Version : 11.0.29+6-1~deb10u1 (buster)

Related CVEs : CVE-2025-53057 CVE-2025-53066

Two vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in XML external entity injection attacks or incorrect certificate validation.

ELA-1555-1 request-tracker4 security update (by )

Sun, 26 Oct 2025 12:57:27 +0100

Package : request-tracker4

Version : 4.4.3-2+deb10u5 (buster)

Related CVEs : CVE-2025-61873

It was discovered that Request Tracker, an extensible trouble-ticket tracking system is prone to a CSV injection via ticket values with special characters that are exported to a TSV from search results.

ELA-1554-1 node-form-data security update (by )

Sat, 25 Oct 2025 17:26:26 +0200

Package : node-form-data

Version : 2.3.2-2+deb10u1 (buster)

Related CVEs : CVE-2025-7783

It was discovered that there was a potential HTTP Parameter Pollution (HPP) issue in node-form-data, a tool to create multipart/form-data streams module in Node.js applications.

ELA-1553-1 icedtea-web security update (by )

Sat, 25 Oct 2025 15:04:37 +0200

Package : icedtea-web

Version : 1.6.2-3.1+deb9u2 (stretch), 1.7.2-2+deb10u1 (buster)

Several security vulnerabilities were found in icedtea-web, an implementation of the Java Network Launching Protocol (JNLP).

CVE-2019-10181

 It was found that in icedtea-web executable code could be injected
 in a JAR file without compromising the signature verification. An
 attacker could use this flaw to inject code in a trusted JAR. The
 code would be executed inside the sandbox.

CVE-2019-10182

 It was found that icedtea-web did not properly sanitize paths from
 <jar/> elements in JNLP files. An attacker could trick a victim
 into running a specially crafted application and use this flaw to
 upload arbitrary files to arbitrary locations in the context of the
 user.

CVE-2019-10185

It was found that icedtea-web was vulnerable to a zip-slip attack
during auto-extraction of a JAR file. An attacker could use this
flaw to write files to arbitrary locations. This could also be used
to replace the main running application and, possibly, break out of
the sandbox.

ELA-1552-1 xrdp security update (by )

Fri, 24 Oct 2025 19:35:12 +0200

Package : xrdp

Version : 0.9.9-1+deb10u4 (buster)

Three issues found in xrdp are addressed in this update. xrdp is an open source remote desktop protocol (RDP) server.

xrdp had a vulnerability that allows attackers to make an infinite number of login attempts. The number of max login attempts is supposed to be limited by a configuration parameter MaxLoginRetry in /etc/xrdp/sesman.ini. However, this mechanism was not effectively working. As a result, xrdp allows an infinite number of login attempts.

Access to the font glyphs in xrdp_painter.c is not bounds-checked. Since some of this data is controllable by the user, this can result in an out-of-bounds read within the xrdp executable. The vulnerability allows an out-of-bounds read within a potentially privileged process. On non-Debian platforms, xrdp tends to run as root. Potentially an out-of-bounds write can follow the out-of-bounds read. There is no denial-of-service impact, provided that xrdp is running in forking mode.

Improper handling of session establishment errors allows bypassing OS-level session restrictions. The auth_start_session function can return non-zero (1) value on, e.g., PAM error which may result in in session restrictions such as max concurrent sessions per user by PAM (ex ./etc/security/limits.conf) being bypassed. Users (administrators) that don’t use restrictions by PAM are not affected.

ELA-1551-1 raptor2 security update (by )

Wed, 22 Oct 2025 20:03:16 +0200

Package : raptor2

Version : 2.0.14-1+deb9u3 (stretch), 2.0.14-1.1~deb10u3 (buster)

Related CVEs : CVE-2024-57822 CVE-2024-57823

Two issues have been found in raptor2, an RDF parser and serializer utilities. One issue is related to a heap-based buffer over-read when parsing triples. The other issue is related to an integer underflow when normalizing an URI.

ELA-1550-1 gimp security update (by )

Wed, 22 Oct 2025 15:22:36 +0200

Package : gimp

Version : 2.8.18-1+deb9u5 (stretch), 2.10.8-2+deb10u4 (buster)

CVE-2025-6035

An integer overflow vulnerability exists in the GIMP “Despeckle” plug-in. The issue occurs due to unchecked multiplication of image dimensions, such as width, height, and bytes-per-pixel (img_bpp), which can result in allocating insufficient memory and subsequently performing out-of-bounds writes. This issue could lead to heap corruption, a potential denial of service (DoS), or arbitrary code execution in certain scenarios.
CVE-2025-10922

ZDI-CAN-27863: GIMP DCM File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
CVE-2025-48797

Flaw when processing certain TGA image files. If a user opens one of these image files that has been specially crafted by an attacker, GIMP can be tricked into making serious memory errors, potentially leading to crashes and causing a heap buffer overflow.
CVE-2025-48798

Flaw when processing XCF image files. If a user opens one of these image files that has been specially crafted by an attacker, GIMP can be tricked into making serious memory errors, potentially leading to crashes and causing use-after-free issues.

ELA-1549-1 gegl security update (by )

Wed, 22 Oct 2025 15:22:29 +0200

Package : gegl

Version : 0.3.8-4+deb9u1 (stretch)

Multiple vulnerabilities were discovered in GEGL, a graph-based image processing library, which could result in denial of service or the execution of arbitrary code if malformed files or filenames are processed.

CVE-2018-10113

The process function in operations/external/ppm-load.c has unbounded memory allocation, leading to a denial of service (application crash) upon allocation failure.
CVE-2018-10114

The gegl_buffer_iterate_read_simple function in buffer/gegl-buffer-access.c allows remote attackers to cause a denial of service (write access violation) or possibly have unspecified other impact via a malformed PPM file, related to improper restrictions on memory allocation in the ppm_load_read_header function in operations/external/ppm-load.c.
CVE-2021-45463

load_cache allows shell expansion when a pathname in a constructed command line is not escaped or filtered. This is caused by use of the system library function for execution of the ImageMagick convert fallback in magick-load.
CVE-2025-10921

GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability.

ELA-1548-1 gegl security update (by )

Wed, 22 Oct 2025 15:22:16 +0200

Package : gegl

Version : 0.4.12-2+deb10u1 (buster)

Related CVEs : CVE-2021-45463 CVE-2025-10921

CVE-2021-45463

load_cache allows shell expansion when a pathname in a constructed command line is not escaped or filtered. This is caused by use of the system library function for execution of the ImageMagick convert fallback in magick-load.
CVE-2025-10921

GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability.

ELA-1547-1 nginx security update (by )

Tue, 21 Oct 2025 20:18:47 +0200

Package : nginx

Version : 1.10.3-1+deb9u9 (stretch), 1.14.2-2+deb10u6 (buster)

Multiple vulnerabilities were found in nginx a popular webserver.

CVE-2024-7347

A vulnerability was found in the ngx_http_mp4_module,
This vulnerability might allow an attacker to over-read NGINX
worker memory resulting in its termination, using a specially crafted mp4 file.

CVE-2024-33452

A vulnerability was found in the lua-nginx-module.
This vulnerability allows a remote attacker to conduct HTTP request smuggling
via a crafted HEAD request.

CVE-2025-23419

When multiple server blocks are configured to share the same IP address and port,
an attacker can use session resumption to bypass client certificate authentication
requirements on these servers.
This vulnerability arises when TLS Session Tickets are used and/or the SSL session cache
are used in the default server and the default server is performing
client certificate authentication

ELA-1546-1 libphp-adodb security update (by )

Mon, 20 Oct 2025 22:56:57 +0200

Package : libphp-adodb

Version : 5.20.9-1+deb9u3 (stretch), 5.20.14-1+deb10u3 (buster)

Related CVEs : CVE-2025-54119

Improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements (SQL injection) when the code using ADOdb connects to a sqlite3 or sqlite database and calls the metaColumns(), metaForeignKeys() or metaIndexes() methods with a crafted table name.

ELA-1545-1 imagemagick security update (by )

Mon, 20 Oct 2025 09:52:54 +0200

Package : imagemagick

Version : 8:6.9.7.4+dfsg-11+deb9u23 (stretch), 8:6.9.10.23+dfsg-2.1+deb10u12 (buster)

Related CVEs : CVE-2025-62171

An integer overflow vulnerability was discovered in the ReadBMP() function of the BMP decoder within ImageMagick.

Although CVE-2025-57803 was issued to address this flaw, the proposed fix is incomplete and fails to prevent exploitation in certain scenarios. Specifically, the patch introduces a BMPOverflowCheck() function in some code path, but it is invoked only after the overflow has already occurred—rendering in some case.

This oversight allows a specially crafted 58-byte BMP file to trigger AddressSanitizer crashes, potentially leading to denial-of-service (DoS) conditions.

This new issue was designated CVE-2025-62171.

ELA-1544-1 linux-5.10 security update (by )

Fri, 17 Oct 2025 17:53:00 +0200

Package : linux-5.10

Version : 5.10.244-1~deb9u1 (stretch), 5.10.244-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

Starting with this version, modules are signed with an ephemeral key on all architectures. This version additionally includes many more bug fixes from stable updates 5.10.238 through 5.10.244.

ELA-1543-1 linux-6.1 security update (by )

Thu, 16 Oct 2025 13:05:58 +0200

Package : linux-6.1

Version : 6.1.153-1~deb9u1 (stretch), 6.1.153-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to privilege escalation, denial of service or information disclosure.

Starting with this version, modules are signed with an ephemeral key on all architectures, and the broken pktcdvd driver is disabled. This version additionally includes many more bug fixes from stable updates 6.1.141 through 6.1.153.

ELA-1542-1 libxml2 security update (by )

Wed, 15 Oct 2025 19:48:17 +0200

Package : libxml2

Version : 2.9.4+dfsg1-2.2+deb9u15 (stretch), 2.9.4+dfsg1-7+deb10u13 (buster)

Related CVEs : CVE-2025-9714

CVE-2025-9714: It was discovered that recursion evaluation in XPath evaluation is uncontrolled and therefore allows a local attacker to cause a stack overflow via crafted expressions.
CVE-2025-7425: Sergei Glazunov discovered a heap-use-after-free in xmlFreeID() caused by atype corruption. While the vulnerability was reported against libxslt, the XSLT 1.0 processing library, it is now mitigated in this libxml2 version.

ELA-1541-1 php-horde-css-parser security update (by )

Wed, 15 Oct 2025 17:27:18 +0200

Package : php-horde-css-parser

Version : 1.0.11-3+deb10u1 (buster)

Related CVEs : CVE-2020-13756

Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors() or getSelectorsBySpecificity() is called with input from an attacker.

The php-horde-css-parser package bundles the Saberworm PHP CSS Parser code and is thus also vulnerable.

ELA-1540-1 qemu security update (by )

Wed, 15 Oct 2025 10:38:47 -0300

Package : qemu

Version : 1:3.1+dfsg-8+deb10u13 (buster)

Related CVEs : CVE-2023-3019 CVE-2024-3447

Multiple security issues were found in QEMU, a fast processor emulator, that could result in denial of service, information leak, or privilege escalation.

CVE-2023-3019

Use-after-free error in the e1000e NIC emulation.

CVE-2024-3447

Heap-based buffer overflow in SDHCI device emulation.

In Debian 10 “buster”, the affected packages are qemu-user-static (and qemu-user-binfmt).

ELA-1539-1 distro-info-data database update (by )

Tue, 14 Oct 2025 17:31:56 +0200

Package : distro-info-data

Version : 0.41+deb10u2~bpo9+9 (stretch), 0.41+deb10u13 (buster)

This is a routine update of the distro-info-data database for Debian ELTS users.

It updates the EoL date for bookworm and adds Ubuntu 26.04 LTS “Resolute Raccoon”.

Debian Contributions: Old Debian Printing software and C23, Work to decommission packages.qa.debian.org, rebootstrap uses *-for-host and more! (by Anupa Ann Joseph)

Anupa Ann Joseph — Tue, 14 Oct 2025 00:00:00 +0000

Debian Contributions: 2025-09

Updating old Debian Printing software to meet C23 requirements, by Thorsten Alteholz

The work of Thorsten fell under the motto “gcc15”. Due to the introduction of gcc15 in Debian, the default language version was changed to C23. This means that for example, function declarations without parameters are no longer allowed. As old software, which was created with ANSI C (or C89) syntax, made use of such function declarations, it was a busy month. One could have used something like -std=c17 as compile flags, but this would have just postponed the tasks. As a result Thorsten uploaded modernized versions of ink, nm2ppa and rlpr for the Debian printing team.

Work done to decommission packages.qa.debian.org, by Raphaël Hertzog

Raphaël worked to decommission the old package tracking system (packages.qa.debian.org). After figuring out that it was still receiving emails from the bug tracking system (bugs.debian.org), from multiple debian lists and from some release team tools, he reached out to the respective teams to either drop those emails or adjust them so that they are sent to the current Debian Package Tracker (tracker.debian.org).

rebootstrap uses *-for-host, by Helmut Grohne

Architecture cross bootstrapping is an ongoing effort that has shaped Debian in various ways over the years. A longer effort to express toolchain dependencies now bears fruit. When cross compiling, it becomes important to express what architecture one is compiling for in Build-Depends. As these packages have become available in “trixie”, more and more packages add this extra information and in August, the libtool package gained a gfortran-for-host dependency. It was the first package in the essential build closure to adopt this and required putting the pieces together in rebootstrap that now has to build gcc-defaults early on. There still are hundreds of packages whose dependencies need to be updated though.

Miscellaneous contributions

Raphaël dropped the “Build Log Scan” integration in tracker.debian.org since it was showing stale data for a while as the underlying service has been discontinued.
Emilio updated pixman to 0.46.4.
Emilio coordinated several transitions, and NMUed guestfs-tools to unblock one.
Stefano uploaded Python 3.14rc3 to Debian unstable. It’s not yet used by any packages, but it allows testing the level of support in packages to begin.
Stefano upgraded almost all of the debian-social infrastructure to Debian “trixie”.
Stefano published the sponsorship brochures for DebConf 26.
Stefano attended the Debian Technical Committee meeting.
Stefano uploaded routine upstream updates for a handful of Python packages (pycparser, beautifulsoup4, platformdirs, pycparser, python-authlib, python-cffi, python-mitogen, python-resolvelib, python-super-collections, twine).
Stefano reviewed and responded to DebConf 25 feedback.
Stefano investigated and fixed a request visibility bug in debian-reimbursements (for admin-altered requests).
Lucas reviewed a couple of merge requests from external contributors for Go and Ruby packages.
Lucas updated some ruby packages to its latest upstream version (thin, passenger, and puma is still WIP).
Lucas set up the build environment to run rebuilds of reverse dependencies of ruby using ruby3.4. As an alternative, he is looking for personal repositories provided by Debusine to perform this task more easily. This is the preparation for the transition to ruby3.4 as the default in Debian.
Lucas helped on the next round of the Outreachy internship program.
Helmut sent patches for 30 cross build failures and responded to cross building support questions on the mailing list.
Helmut continued to maintain rebootstrap. As gcc version 15 became the default, test jobs for version 14 had to be dropped. A fair number of patches were applied to packages and could be dropped.
Helmut resumed removing RC-buggy packages from unstable and sponsored a termrec upload to avoid its deletion. This work was paused to give packages some time to migrate to “forky”.
Santiago reviewed different merge requests created by different contributors. Those MRs include a new test to build reverse dependencies, created by Aquila Macedo as part of his GSoC internship; restore how lintian was used in experimental, thanks Otto Kekäläinen; and the fix by Christian Bayle to support again extra repositories in deb822-style sources, whose support was broken with the move to sbuild+unshare last month.
While doing some new upstream release updates, thanks to Debusine’s reverse dependencies autopkgtest checks, Santiago discovered that paramiko 4.0 will introduce a regression in libcloud by the drop of support for the obsolete DSA keys. Santiago finally uploaded to unstable both paramiko 4.0, and a regression fix for libcloud.
Santiago has taken part in different discussions and meetings for the preparation of DebConf 26. The DebConf 26 local team aims to prepare for the conference with enough time in advance.
Carles kept working on the missing-package-relations and reporting missing Recommends. He improved the tooling to detect and report bugs creating 269 bugs and followed up comments. 37 bugs have been resolved, others acknowledged. The missing Recommends are a mixture of packages that are gone from Debian, packages that changed name, typos and also packages that were recommended but are not packaged in Debian.
Carles improved the missing-package-relations to report broken Suggests only for packages that used to be in Debian but are removed from it now. No bugs have been created yet for this case but identified 1320 of them.
Colin spent much of the month chasing down build/test regressions in various Python packages due to other upgrades, particularly relating to pydantic, python-pytest-asyncio, and rust-pyo3.
Colin optimized some code in ubuntu-dev-tools (affecting e.g. pull-debian-source) that made O(n) HTTP requests when it could instead make O(1).
Anupa published Micronews as part of Debian Publicity team work.

ELA-1538-1 libfcgi security update (by )

Mon, 13 Oct 2025 19:06:30 +0200

Package : libfcgi

Version : 2.4.0-8.4+deb9u1 (stretch), 2.4.0-10+deb10u1 (buster)

Related CVEs : CVE-2025-23016

An issue has been found in libfcgi, a FastCGI bridge from CGI. The issue is related to an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket.

Monthly report about Debian Long Term Support, September 2025 (by Roberto C. Sánchez)

Roberto C. Sánchez — Mon, 13 Oct 2025 00:00:00 +0000

Like each month, have a look at the work funded by Freexian’s Debian LTS offering.

Debian LTS contributors

In September, 20 contributors have been paid to work on Debian LTS, their reports are available:

Abhijith PA did 10.0h (out of 10.0h assigned and 4.0h from previous period), thus carrying over 4.0h to the next month.
Andreas Henriksson did 1.0h (out of 0.0h assigned and 20.0h from previous period), thus carrying over 19.0h to the next month.
Bastien Roucariès did 20.0h (out of 20.0h assigned).
Ben Hutchings did 20.0h (out of 21.0h assigned), thus carrying over 1.0h to the next month.
Carlos Henrique Lima Melara did 10.0h (out of 12.0h assigned), thus carrying over 2.0h to the next month.
Chris Lamb did 18.0h (out of 18.0h assigned).
Daniel Leidert did 21.0h (out of 21.0h assigned).
Emilio Pozuelo Monfort did 39.75h (out of 40.0h assigned), thus carrying over 0.25h to the next month.
Guilhem Moulin did 15.0h (out of 15.0h assigned).
Jochen Sprickerhof did 12.0h (out of 9.25h assigned and 11.75h from previous period), thus carrying over 9.0h to the next month.
Lee Garrett did 13.5h (out of 21.0h assigned), thus carrying over 7.5h to the next month.
Lucas Kanashiro did 8.0h (out of 20.0h assigned), thus carrying over 12.0h to the next month.
Markus Koschany did 15.0h (out of 3.25h assigned and 17.75h from previous period), thus carrying over 6.0h to the next month.
Paride Legovini did 6.0h (out of 8.0h assigned), thus carrying over 2.0h to the next month.
Roberto C. Sánchez did 7.25h (out of 7.75h assigned and 13.25h from previous period), thus carrying over 13.75h to the next month.
Santiago Ruano Rincón did 13.25h (out of 13.5h assigned and 1.5h from previous period), thus carrying over 1.75h to the next month.
Sylvain Beucler did 17.0h (out of 7.75h assigned and 13.25h from previous period), thus carrying over 4.0h to the next month.
Thorsten Alteholz did 21.0h (out of 21.0h assigned).
Tobias Frost did 5.0h (out of 0.0h assigned and 8.0h from previous period), thus carrying over 3.0h to the next month.
Utkarsh Gupta did 16.5h (out of 14.25h assigned and 6.75h from previous period), thus carrying over 4.5h to the next month.

Evolution of the situation

In September, we released 38 DLAs.

Notable security updates:
- modsecurity-apache prepared by Adrian Bunk, fixes a cross-site scripting vulnerability
- cups, prepared by Thorsten Alteholz, fixes authentication bypass and denial of service vulnerabilities
- jetty9, prepared by Adrian Bunk, fixes the MadeYouReset vulnerability (a recent, well-known denial of service vulnerability)
- python-django, prepared by Chris Lamb, fixes a SQL injection vulnerability
- firefox-esr and thunderbird, prepared by Emilio Pozuelo Monfort, were updated from the 128.x ESR series to the 140.x ESR series, fixing a number of vulnerabilities as well
Notable non-security updates:
- wireless-regdb prepared by Ben Hutchings, updates information reflecting changes to radio regulations in many countries

There was one package update contributed by a Debian Developer outside of the LTS Team: an update of node-tar-fs, prepared by Xavier Guimard (a member of the Node packaging team).

Finally, LTS Team members also contributed updates of the following packages:

libxslt (to stable and oldstable), prepared by Guilhem Moulin, to address a regression introduced in a previous security update
libphp-adodb (to stable and oldstable), prepared by Abhijith PA
cups (to stable and oldstable), prepared by Thorsten Alteholz
u-boot (to oldstable), prepared by Daniel Leidert and Jochen Sprickerhof
libcommongs-lang3-java (to stable and oldstable), prepared by Daniel Leidert
python-internetarchive (to oldstable), prepared by Daniel Leidert

One other notable contribution by a member of the LTS Team is that Sylvain Beucler proposed a fix upstream for CVE-2025-2760 in gimp2. Upstream no longer supports gimp2, but it is still present in Debian LTS, and so proposing this fix upstream is of benefit to other distros which may still be supporting the older gimp2 packages.

Thanks to our sponsors

Sponsors that joined recently are in bold.

Platinum sponsors:
- Toshiba Corporation (for 120 months)
- Civil Infrastructure Platform (CIP) (for 88 months)
- VyOS Inc (for 52 months)
Gold sponsors:
- F. Hoffmann-La Roche AG (for 130 months)
- Akamai - Linode (for 124 months)
- Babiel GmbH (for 114 months)
- Plat’Home (for 113 months)
- University of Oxford (for 70 months)
- Deveryware (for 57 months)
- EDF SA (for 42 months)
- Dataport AöR (for 17 months)
- CERN (for 15 months)
Silver sponsors:
- Domeneshop AS (for 135 months)
- Nantes Métropole (for 129 months)
- Univention GmbH (for 121 months)
- Université Jean Monnet de St Etienne (for 121 months)
- Ribbon Communications, Inc. (for 115 months)
- Exonet B.V. (for 105 months)
- Leibniz Rechenzentrum (for 99 months)
- Ministère de l’Europe et des Affaires Étrangères (for 83 months)
- Cloudways by DigitalOcean (for 72 months)
- Dinahosting SL (for 70 months)
- Platform.sh SAS (for 64 months)
- Moxa Inc. (for 58 months)
- sipgate GmbH (for 56 months)
- OVH US LLC (for 54 months)
- Tilburg University (for 54 months)
- GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 45 months)
- THINline s.r.o. (for 18 months)
- Copenhagen Airports A/S (for 12 months)
Bronze sponsors:
- Evolix (for 135 months)
- Seznam.cz, a.s. (for 135 months)
- Intevation GmbH (for 132 months)
- Linuxhotel GmbH (for 132 months)
- Daevel SARL (for 131 months)
- Megaspace Internet Services GmbH (for 130 months)
- Greenbone AG (for 129 months)
- NUMLOG (for 129 months)
- WinGo AG (for 128 months)
- Entr’ouvert (for 120 months)
- Adfinis AG (for 117 months)
- Laboratoire LEGI - UMR 5519 / CNRS (for 112 months)
- Tesorion (for 112 months)
- Bearstech (for 103 months)
- LiHAS (for 103 months)
- Catalyst IT Ltd (for 98 months)
- Demarcq SAS (for 92 months)
- Université Grenoble Alpes (for 78 months)
- TouchWeb SAS (for 70 months)
- SPiN AG (for 67 months)
- CoreFiling (for 63 months)
- Institut des sciences cognitives Marc Jeannerod (for 58 months)
- Observatoire des Sciences de l’Univers de Grenoble (for 54 months)
- Tem Innovations GmbH (for 49 months)
- WordFinder.pro (for 48 months)
- CNRS DT INSU Résif (for 47 months)
- Soliton Systems K.K. (for 42 months)
- Alter Way (for 40 months)
- Institut Camille Jordan (for 30 months)
- SOBIS Software GmbH (for 15 months)
- Tuxera Inc. (for 6 months)

ELA-1537-1 redis security update (by )

Thu, 09 Oct 2025 10:26:31 -0700

Package : redis

Version : 3:3.2.6-3+deb9u17 (stretch), 5:5.0.14-1+deb10u10 (buster)

Multiple vulnerabilities were discovered in Redis, a popular key/value database:

CVE-2025-46817: Fix an issue where an authenticated user could have used a specially-crafted Lua script to cause an integer overflow and potentially lead to remote code execution.
CVE-2025-46819: Address a potential vulnerability where an authenticated user could have used a specially-crafted Lua script to read out-of-bound data and/or crash the server and thereby create a denial of service attack.
CVE-2025-49844: Fix an issue where authenticated users could have exploited a specially-crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution.

ELA-1536-1 mosquitto security update (by )

Tue, 07 Oct 2025 21:22:17 -0300

Package : mosquitto

Version : 1.5.7-1+deb10u2 (buster)

Related CVEs : CVE-2024-10525

CVE-2024-10525

If a malicious broker sends a crafted SUBACK packet with no reason codes, a
client using libmosquitto may make out of bounds memory access when acting in
its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr
clients.

ELA-1535-1 python-django security update (by )

Tue, 07 Oct 2025 14:06:15 -0700

Package : python-django

Version : 1:1.10.7-2+deb9u27 (stretch), 1:1.11.29-1+deb10u16 (buster)

Related CVEs : CVE-2025-59681 CVE-2025-59682

It was discovered that there were two vulnerabilities in Django, a popular web development framework:

CVE-2025-59681: Fix a potential SQL injection in QuerySet.annotate(), alias(), aggregate() and extra(). These methods were subject to SQL injection in column aliases, using a suitably crafted dictionary via dictionary expansion as the **kwargs passed to these methods on MySQL and MariaDB.
CVE-2025-59682: Fix a potential partial directory-traversal vulnerability in archive.extract(). This function, used by startapp --template and startproject --template allowed partial directory-traversal via an archive with file paths sharing a common prefix with the target directory.

ELA-1534-1 freeipa security update (by )

Sun, 05 Oct 2025 12:20:11 +0200

Package : freeipa

Version : 4.7.2-3+deb10u2 (buster)

FreeIPA, an integrated security information management solution designed for Linux and Unix environments, was affected by multiple vulnerabilities.

CVE-2019-10195

FreeIPA's batch processing API logged operations, including user passwords in clear text on FreeIPA masters.
Batch processing of commands with passwords as arguments or options is not performed by default in FreeIPA
but is possible by third-party components. An attacker having access to system logs on FreeIPA masters
could use this flaw to produce log file content with passwords exposed.

CVE-2019-14867

A flaw was found in FreeIPA in the way the internal function ber_scanf() was used in some components,
which parsed kerberos key data. An unauthenticated attacker who could trigger parsing of the krb principal
key could cause the IPA server to crash or in some conditions, cause arbitrary code to be executed
on the server hosting the IPA server.

CVE-2024-3183

A flaw was found in FreeIPA in a way when a Kerberos TGS-REQ is encrypted using the client’s session key.
This key is different for each new session, which protects it from brute force attacks. However,
the ticket it contains is encrypted using the target principal key directly. For user principals,
this key is a hash of a public per-principal randomly-generated salt and the user’s password.
If a principal is compromised it means the attacker would be able to retrieve tickets encrypted
to any principal, all of them being encrypted by their own key directly.
By taking these tickets and salts offline, the attacker could run brute force attacks to
find character strings able to decrypt tickets when combined to a principal salt (i.e. find the principal’s password).

CVE-2024-11029

A flaw was found in the FreeIPA API audit, where it sends the whole FreeIPA command line to journalctl.
As a consequence, during the FreeIPA installation process, it inadvertently leaks the administrative
user credentials, including the administrator password, to the journal database. In the worst-case scenario,
where the journal log is centralized, users with access to it can have improper access to the FreeIPA administrator credentials.

CVE-2025-4404

A privilege escalation from host to domain vulnerability was found in the FreeIPA project.
The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin
account by default, allowing users to create services with the same canonical name as the REALM admin.
When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service,
containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over
the REALM, leading to access to sensitive data and sensitive data exfiltration.

ELA-1533-1 libcpanel-json-xs-perl security update (by )

Wed, 01 Oct 2025 19:45:18 -0300

Package : libcpanel-json-xs-perl

Version : 4.09-1+deb10u1 (buster)

Related CVEs : CVE-2025-40928

A vulnerability has been fixed in libcpanel-json-xs-perl, a Perl module for serialising to JSON.

CVE-2025-40928

Integer buffer overflow causing a segfault when parsing crafted JSON,
enabling denial-of-service attacks or other unspecified impact.

ELA-1532-1 libjson-xs-perl security update (by )

Wed, 01 Oct 2025 19:43:27 -0300

Package : libjson-xs-perl

Version : 3.030-1+deb9u1 (stretch), 3.040-1+deb10u1 (buster)

Related CVEs : CVE-2025-40928

A vulnerability has been fixed in libjson-xs-perl, a Perl module which does C/XS-accelerated manipulation of JSON-formatted data.

CVE-2025-40928

Integer buffer overflow causing a segfault when parsing crafted JSON,
enabling denial-of-service attacks or other unspecified impact.

ELA-1531-1 tiff security update (by )

Wed, 01 Oct 2025 10:08:29 +0200

Package : tiff

Version : 4.0.8-2+deb9u14 (stretch), 4.1.0+git191117-2~deb10u11 (buster)

Related CVEs : CVE-2024-13978 CVE-2025-9900

Multiple vulnerabilities were fixed in tiff, a library and tools providing support for the Tag Image File Format (TIFF).

CVE-2024-13978: Affected by this vulnerability is the function t2p_read_tiff_init of the file tools/tiff2pdf.c of the component fax2ps. The manipulation leads to null pointer dereference. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation appears to be difficult.
CVE-2025-9900: This vulnerability is a “write-what-where” condition, triggered when the library processes a specially crafted TIFF image file. By providing an abnormally large image height value in the file’s metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.

ELA-1510-2 libcommons-lang-java regression update (by )

Wed, 01 Oct 2025 04:59:40 +0200

Package : libcommons-lang-java

Version : 2.6-6+deb9u2 (stretch), 2.6-8+deb10u2 (buster)

The patch to fix CVE-2025-48924 has not been backported correctly and can lead to an unexpected ClassNotFoundException in ClassUtils.getClass(). Updated packages are now available to correct this issue.

ELA-1530-1 libcommons-lang3-java security update (by )

Wed, 01 Oct 2025 04:46:45 +0200

Package : libcommons-lang3-java

Version : 3.5-1+deb9u1 (stretch), 3.8-2+deb10u1 (buster)

Related CVEs : CVE-2025-48924

A vulnerability was discovered in Apache Commons Lang utility classes, a Java API for classes that are in java.lang’s hierarchy.

CVE-2025-48924

An uncontrolled recursion vulnerability was discovered in Apache Commons
Lang. The method ClassUtils.getClass() can throw a StackOverflowError
on very long inputs.

ELA-1529-1 modsecurity-apache security update (by )

Tue, 30 Sep 2025 22:58:37 -0300

Package : modsecurity-apache

Version : 2.9.3-3+deb11u5~deb10u1 (buster)

Related CVEs : CVE-2025-54571

Cross-site scripting due to insufficient return value handling has been fixed in modsecurity-apache, a module for the Apache webserver to tighten Web application security.

ELA-1528-1 wireless-regdb upstream version update (by )

Tue, 30 Sep 2025 18:13:56 -0300

Package : wireless-regdb

Version : 2025.07.10-1~deb9u1 (stretch), 2025.07.10-1~deb10u1 (buster)

This update includes the changes in wireless-regdb 2025.07.10, reflecting changes to radio regulations in several countries.

ELA-1527-1 mplayer security update (by )

Sat, 27 Sep 2025 18:11:32 +0200

Package : mplayer

Version : 2:1.3.0-6+deb9u1 (stretch)

Several issues have been found in mplayer, a movie player for Unix-like systems. They are basically related to buffer overflows, divide by zero or out of bounds read in different parts of the code.

ELA-1526-1 ceph security update (by )

Sat, 27 Sep 2025 17:26:36 +0200

Package : ceph

Version : 10.2.11-2+deb9u3 (stretch), 12.2.11+dfsg1-2.1+deb10u2 (buster)

Related CVEs : CVE-2025-52555

Ceph a distributed file system was affected by a vulnerability.

An unprivileged user can escalate to root privileges in a ceph-fuse mounted CephFS by chmod 777 a directory owned by root to gain access.

The result of this is that a user could read, write and execute to any directory as long as they chmod 777 it. This impacts confidentiality, integrity, and availability.

ELA-1525-1 libxslt security update (by )

Thu, 25 Sep 2025 12:21:55 +0200

Package : libxslt

Version : 1.1.29-2.1+deb9u5 (stretch), 1.1.32-2.2~deb10u4 (buster)

Related CVEs : CVE-2023-40403 CVE-2025-7424

CVE-2023-40403: It was discovered that the generate-id() function could return deterministic values and could leak the memory layout of different XML objects, which might lead to information disclosure.
CVE-2025-7424: Ivan Fratric discovered a type confusion vulnerability in xmlNode.psvi between stylesheet and source nodes, which could lead to application crash.

ELA-1524-1 corosync security update (by )

Mon, 22 Sep 2025 23:32:30 +0200

Package : corosync

Version : 2.4.2-3+deb9u2 (stretch), 3.0.1-2+deb10u2 (buster)

Related CVEs : CVE-2025-30472

An issue has been found in corosync, a cluster engine daemon and utilities. A stack-based buffer overflow may happen when encryption is disabled or the attacker knows the encryption key and a large crafted UDP packet has to be processed.

ELA-1523-1 syslog-ng security update (by )

Mon, 22 Sep 2025 19:17:19 +0200

Package : syslog-ng

Version : 3.8.1-10+deb9u2 (stretch), 3.19.1-5+deb10u2 (buster)

Related CVEs : CVE-2024-47619

Syslog-ng, a widely used logging service, was found to be vulnerable due to improper handling of wildcard certificates during TLS authentication.

Specifically, the function tls_wildcard_match() incorrectly accepted certificate patterns like foo.*.bar, which violate standard wildcard rules and should not be permitted. Additionally, partial wildcard patterns such as foo.a*c.bar were matched by GLib, further weakening the authentication mechanism.

This flaw could allow a monster-in-the-middle attacker to impersonate legitimate endpoints, compromising the integrity of secure logging. Such wildcard mismatches must be explicitly rejected to ensure robust TLS validation.

ELA-1522-1 pam security update (by )

Mon, 22 Sep 2025 19:00:59 +0200

Package : pam

Version : 1.1.8-3.6+deb9u1 (stretch), 1.3.1-5+deb10u1 (buster)

Related CVEs : CVE-2024-22365 CVE-2025-6020

Multiple vulnerabilities were found in the PAM namespace module, used to configure private namespaces for user sessions.

CVE-2024-22365

Attackers may cause a denial of service
blocking the login process, via mkfifo, because the
openat call (for protect_dir) lacks the O_DIRECTORY flag.

CVE-2025-6020

pam_namespace may use access user-controlled paths
without proper protection, allowing local users to elevate
their privileges to root via multiple symlink attacks
and race conditions.

ELA-1521-1 shibboleth-sp security update (by )

Sun, 21 Sep 2025 22:24:49 +0200

Package : shibboleth-sp

Version : 3.0.4+dfsg1-1+deb10u3 (buster)

Related CVEs : CVE-2025-9943

An SQL injection vulnerability has been identified in the “ID” attribute of the SAML response when the replay cache of the Shibboleth Service Provider (SP) is configured to use an SQL database as storage service.

An unauthenticated attacker can exploit this issue via blind SQL injection, allowing for the extraction of arbitrary data from the database, if the database connection is configured to use the ODBC plugin.

ELA-1520-1 jq security update (by )

Sun, 21 Sep 2025 17:36:58 +0200

Package : jq

Version : 1.5+dfsg-1.3+deb9u1 (stretch), 1.5+dfsg-2+deb10u1 (buster)

Related CVEs : CVE-2025-48060

An issue has been found in jq, a lightweight and flexible command-line JSON processor. A heap buffer overflow may happen when formatting empty strings.

ELA-1519-1 openvpn security update (by )

Sat, 20 Sep 2025 14:29:16 -0300

Package : openvpn

Version : 2.4.0-6+deb9u5 (stretch)

Related CVEs : CVE-2024-5594

A vulnerability was discovered in openvpn, a virtual private network application which could result in data injection.

CVE-2024-5594

OpenVPN does not sanitize PUSH_REPLY messages properly which
attackers can use to inject unexpected arbitrary data into
third-party executables or plug-ins.

ELA-1518-1 openvpn security update (by )

Sat, 20 Sep 2025 14:27:50 -0300

Package : openvpn

Version : 2.4.7-1+deb10u2 (buster)

Related CVEs : CVE-2022-0547 CVE-2024-5594

Two vulnerabilities were discovered in openvpn, a virtual private network application which could result in authentication bypass or data injection.

CVE-2022-0547

OpenVPN may enable authentication bypass in external
authentication plug-ins when more than one of them makes use of
deferred authentication replies, which allows an external user to
be granted access with only partially correct credentials.

CVE-2024-5594

OpenVPN does not sanitize PUSH_REPLY messages properly which
attackers can use to inject unexpected arbitrary data into
third-party executables or plug-ins.

ELA-1517-1 python-eventlet security update (by )

Thu, 18 Sep 2025 11:52:57 -0700

Package : python-eventlet

Version : 0.19.0-6+deb9u1 (stretch), 0.20.0-6+deb10u1 (buster)

Related CVEs : CVE-2025-58068 CVE-2023-40217

A potential HTTP Request Smuggling issue was discovered in python-eventlet, a concurrent networking library for Python.

This issue was caused by the improper handling of HTTP trailer sections. This vulnerability could have permitted attackers to bypass front-end security controls, launch targeted attacks against active site users and/or poison web caches. This problem has been addressed by dropping trailers, a potentially breaking change if a backend behind the eventlet.wsgi proxy requires such trailers.

ELA-1516-1 imagemagick security update (by )

Sun, 14 Sep 2025 20:01:46 +0200

Package : imagemagick

Version : 8:6.9.7.4+dfsg-11+deb9u22 (stretch)

Multiple vulnerabilities were fixed in imagemagick an image manipulation software suite.

CVE-2017-11531

A crafted file in convert, can lead to a Memory Leak in the WriteHISTOGRAMImage()
function in coders/histogram.c.

CVE-2017-11532

A crafted file in convert, can lead to a Memory Leak in the WriteMPCImage()
function in coders/mpc.c.

CVE-2017-11534

A crafted file in convert, can lead to a Memory Leak in the lite_font_map()
function in coders/wmf.c.

CVE-2025-53014

A heap buffer overflow was found in the `InterpretImageFilename`
function. The issue stems from an off-by-one error that causes
out-of-bounds memory access when processing format strings
containing consecutive percent signs (`%%`).

CVE-2025-53019

ImageMagick's `magick stream` command, specifying multiple
consecutive `%d` format specifiers in a filename template
caused a memory leak

CVE-2025-53101

ImageMagick's `magick mogrify` command, specifying
multiple consecutive `%d` format specifiers in a filename
template caused internal pointer arithmetic to generate
an address below the beginning of the stack buffer,
resulting in a stack overflow through `vsnprintf()`.

CVE-2025-55154

The magnified size calculations in ReadOneMNGIMage
(in coders/png.c) are unsafe and can overflow,
leading to memory corruption.

CVE-2025-55212

passing a geometry string containing only a colon (":")
to montage -geometry leads GetGeometry() to set width/height
to 0. Later, ThumbnailImage() divides by these zero dimensions,
triggering a crash (SIGFPE/abort)

CVE-2025-55298

A format string bug vulnerability exists in InterpretImageFilename
function where user input is directly passed to FormatLocaleString
without proper sanitization. An attacker can overwrite arbitrary
memory regions, enabling a wide range of attacks from heap
overflow to remote code execution.

CVE-2025-57803

A 32-bit integer overflow in the BMP encoderâ??s scanline-stride
computation collapses bytes_per_line (stride) to a tiny
value while the per-row writer still emits 3 Ã? width bytes
for 24-bpp images. The row base pointer advances using the
(overflowed) stride, so the first row immediately writes
past its slot and into adjacent heap memory with
attacker-controlled bytes.

CVE-2025-57807

A security problem was found in SeekBlob(), which permits
advancing the stream offset beyond the current end without
increasing capacity, and WriteBlob(), which then expands by
quantum + length (amortized) instead of offset + length,
and copies to data + offset. When offset â?« extent, the
copy targets memory beyond the allocation, producing a
deterministic heap write on 64-bit builds. No 2â?¶â?´
arithmetic wrap, external delegates, or policy settings
are required.

ELA-1515-1 imagemagick security update (by )

Sat, 13 Sep 2025 21:05:44 +0200

Package : imagemagick

Version : 8:6.9.10.23+dfsg-2.1+deb10u11 (buster)

Multiple vulnerabilities were fixed in imagemagick an image manipulation software suite.

CVE-2025-53014

A heap buffer overflow was found in the `InterpretImageFilename`
function. The issue stems from an off-by-one error that causes
out-of-bounds memory access when processing format strings
containing consecutive percent signs (`%%`).

CVE-2025-53019

ImageMagick's `magick stream` command, specifying multiple
consecutive `%d` format specifiers in a filename template
caused a memory leak

CVE-2025-53101

ImageMagick's `magick mogrify` command, specifying
multiple consecutive `%d` format specifiers in a filename
template caused internal pointer arithmetic to generate
an address below the beginning of the stack buffer,
resulting in a stack overflow through `vsnprintf()`.

CVE-2025-55154

The magnified size calculations in ReadOneMNGIMage
(in coders/png.c) are unsafe and can overflow,
leading to memory corruption.

CVE-2025-55212

passing a geometry string containing only a colon (":")
to montage -geometry leads GetGeometry() to set width/height
to 0. Later, ThumbnailImage() divides by these zero dimensions,
triggering a crash (SIGFPE/abort)

CVE-2025-55298

A format string bug vulnerability exists in InterpretImageFilename
function where user input is directly passed to FormatLocaleString
without proper sanitization. An attacker can overwrite arbitrary
memory regions, enabling a wide range of attacks from heap
overflow to remote code execution.

CVE-2025-57803

A 32-bit integer overflow in the BMP encoderâ??s scanline-stride
computation collapses bytes_per_line (stride) to a tiny
value while the per-row writer still emits 3 Ã? width bytes
for 24-bpp images. The row base pointer advances using the
(overflowed) stride, so the first row immediately writes
past its slot and into adjacent heap memory with
attacker-controlled bytes.

CVE-2025-57807

A security problem was found in SeekBlob(), which permits
advancing the stream offset beyond the current end without
increasing capacity, and WriteBlob(), which then expands by
quantum + length (amortized) instead of offset + length,
and copies to data + offset. When offset â?« extent, the
copy targets memory beyond the allocation, producing a
deterministic heap write on 64-bit builds. No 2â?¶â?´
arithmetic wrap, external delegates, or policy settings
are required.

ELA-1514-1 ca-certificates-java bugfix update (by )

Sat, 13 Sep 2025 18:56:46 +0200

Package : ca-certificates-java

Version : 20230710~deb12u1~deb11u1~deb10u1 (buster)

The ca-certificates-java package needs to be upgraded to resolve a circular dependency between Java packages and ca-certificates, which would otherwise prevent the system certificates from being updated.

ELA-1513-1 opencv security update (by )

Fri, 12 Sep 2025 14:25:55 -0300

Package : opencv

Version : 3.2.0+dfsg-6+deb10u1 (buster)

Multiple vulnerabilities were found in the computer vision library OpenCV.

CVE-2017-18009

Buffer overflow in the cv::HdrDecoder::checkSignature function

CVE-2019-14491

Out-of-bounds read in cv::predictOrdered<cv::HaarEvaluator>

CVE-2019-14492

Out-of-bounds read/write in the HaarEvaluator::OptFeature::calc function

CVE-2019-14493

NULL pointer dereference in the cv::XMLParser::parse funcion

CVE-2019-15939

Divide-by-zero error in cv::HOGDescriptor::getDescriptorSize

CVE-2019-19624

Out-of-bounds read in the calc() function of dis_flow.cpp, when dealing
with small images

Using JavaScript in Debusine without depending on JavaScript (by Enrico Zini)

Enrico Zini — Fri, 12 Sep 2025 00:00:00 +0000

Debusine is a tool designed for Debian developers and Operating System developers in general. This posts describes our approach to the use of JavaScript, and some practical designs we came up with to integrate it with Django with minimal effort.

Debusine web UI and JavaScript

Debusine currently has 3 user interfaces: a client on the command line, a RESTful API, and a Django-based Web UI.

Debusine’s web UI is a tool to interact with the system, and we want to spend most of our efforts in creating a system that works and works well, rather than chasing the latest and hippest of the frontend frameworks for the web.

Also, Debian as a community has an aversion to having parts of the JavaScript ecosystem in the critical path of its core infrastructure, and in our professional experience this aversion is not at all unreasonable.

This leads to having some interesting requirements for the web UI, that (rather surprisingly, one would think) one doesn’t usually find advertised in many projects:

Straightforward to create and maintain.
Well integrated with Django.
Easy to package in Debian, with as little vendoring as possible, which helps mitigate supply chain attacks
Usable without JavaScript whenever possible, for progressive enhancement rather than core functionality.

The idea is to avoid growing the technical complexity and requirements of the web UI, both server-side and client-side, for functionality that is not needed for this kind of project, with tools that do not fit well in our ecosystem.

Also, to limit the complexity of the JavaScript portions that we do develop, we choose to limit our JavaScript browser supports to the main browser versions packaged in Debian Stable, plus recent oldstable.

This makes JavaScript easier to write and maintain, and it also makes it less needed, as modern HTML plus modern CSS interfaces can go a long way with less scripting interventions.

We recently encoded JavaScript practices and tradeoffs in a JavaScript Practices chapter of Debusine’s documentation.

How we use JavaScript

From the start we built the UI using Bootstrap, which helps in having responsive layouts that can also work on mobile devices.

When we started having large select fields, we introduced Select2 to make interaction more efficient, and which degrades gracefully to working HTML.

Both Bootstrap and Select2 are packaged in Debian.

Form validation is done server-side by Django, and we do not reimplement it client-side in JavaScript, as we prefer the extra round trip through a form submission to the risk of mismatches between the two validations.

In those cases where a UI task is not at all possible without JavaScript, we can make its support mandatory as long as the same goal can be otherwise achieved using the debusine client command.

Django messages as Bootstrap toasts

Django has a Messages framework that allows different parts of a view to push messages to the user, and it is useful to signal things like a successful form submission, or warnings on unexpected conditions.

Django messages integrate well with Bootstrap toasts, which use a recognisable notification language, are nicely dismissible and do not invade the rest of the page layout.

Since toasts require JavaScript to work, we added graceful degradation. to Bootstrap alerts

Doing so was surprisingly simple: we handle the toasts as usual, and also render the plain alerts inside a <noscript> tag.

This is precisely the intended usage of the <noscript> tag, and it works perfectly: toasts are displayed by JavaScript when it’s available, or rendered as alerts when not.

The resulting Django template is something like this:

<div aria-live="polite" aria-atomic="true" class="position-relative">
    <div class="toast-container position-absolute top-0 end-0 p-3">
    {% for message in messages %}
        <div class="toast" role="alert" aria-live="assertive" aria-atomic="true">
            <div class="toast-header">
                <strong class="me-auto">{{ message.level_tag|capfirst }}</strong>
                <button type="button"
                        class="btn-close"
                        data-bs-dismiss="toast"
                        aria-label="Close"></button>
            </div>
            <div class="toast-body">{{ message }}</div>
        </div>
    {% endfor %}
    </div>
</div>

<!-- … -->

{% if messages %}
<noscript>
    {% for message in messages %}
        <div class="alert alert-primary" role="alert">
            {{ message }}
        </div>
    {% endfor %}
</noscript>
{% endif %}

We have a webpage to test the result.

JavaScript incremental improvement of formsets

Debusine is built around workspaces, which are, among other things, containers for resources.

Workspaces can inherit from other workspaces, which act as fallback lookups for resources. This allows, for example, to maintain an experimental package to be built on Debian Unstable, without the need to copy the whole Debian Unstable workspace. A workspace can inherit from multiple others, which are looked up in order.

When adding UI to configure workspace inheritance, we faced the issue that plain HTML forms do not have a convenient way to perform data entry of an ordered list.

We initially built the data entry around Django formsets, which support ordering using an extra integer input field to enter the ordering position. This works, and it’s good as a fallback, but we wanted something more appropriate, like dragging and dropping items to reorder them, as the main method of interaction.

Our final approach renders the plain formset inside a <noscript> tag, and the JavaScript widget inside a display: none element, which is later shown by JavaScript code.

As the workspace inheritance is edited, JavaScript serializes its state into <form type='hidden'> fields that match the structure used by the formset, so that when the form is submitted, the view performs validation and updates the server state as usual without any extra maintenance burden.

Serializing state as hidden form fields looks a bit vintage, but it is an effective way of preserving the established data entry protocol between the server and the browser, allowing us to do incremental improvement of the UI while minimizing the maintenance effort.

More to come

Debusine is now gaining significant adoption and is still under active development, with new features like personal archives coming soon.

This will likely mean more user stories for the UI, so this is a design space that we are going to explore again and again in the coming future.

Meanwhile, you can try out Debusine on debusine.debian.net, and follow its development on salsa.debian.org!

ELA-1512-1 cups security update (by )

Thu, 11 Sep 2025 23:53:19 +0200

Package : cups

Version : 2.2.1-8+deb9u13 (stretch), 2.2.10-6+deb10u12 (buster)

Related CVEs : CVE-2025-58060 CVE-2025-58364

Two vulnerabilities were discovered in cups, the Common UNIX Printing System, which may result in authentication bypass with AuthType Negotiate or in denial of service (daemon crash).

Debian Contributions: Preparing for setup.py install deprecation, Salsa CI, Debian 13 "trixie" release and more! (by Anupa Ann Joseph)

Anupa Ann Joseph — Thu, 11 Sep 2025 00:00:00 +0000

Debian Contributions: 2025-08

Preparing for `setup.py install` deprecation, by Colin Watson

setuptools upstream will be removing the setup.py install command on 31 October. While this may not trickle down immediately into Debian, it does mean that in the near future nearly all Python packages will have to use pybuild-plugin-pyproject (though they don’t necessarily have to use pyproject.toml; this is just a question of how the packaging runs the build system). Some of the Python team talked about this a bit at DebConf, and Colin volunteered to write up some notes on cases where this isn’t straightforward. This page will likely grow as the team works on this problem.

Salsa CI, by Santiago Ruano Rincón

Santiago fixed some pending issues in the MR that moves the pipeline to sbuild+unshare, and after several months, Santiago was able to mark the MR as ready. Part of the recent fixes include handling external repositories, honoring the RELEASE autodetection from d/changelog (thanks to Ahmed Siam for spotting the main reason of the issue), and fixing a regression about the apt resolver for *-backports releases. Santiago is currently waiting for a final review and approval from other members of the Salsa CI team, and being able to merge it. Thanks to all the folks who have helped testing the changes or provided feedback so far. If you want to test the current MR, you need to include the following pipeline definition in your project’s CI config file:

---
include:
  - https://salsa.debian.org/santiago/pipeline/raw/sbuild-unshare-02-salsa-ci/salsa-ci.yml
  - https://salsa.debian.org/santiago/pipeline/raw/sbuild-unshare-02-salsa-ci/pipeline-jobs.yml

As a reminder, this MR will make the Salsa CI pipeline build the packages more similar to how it’s built by the Debian official builders. This will also save some resources, since the default pipeline will have one stage less (the provisioning) stage, and will make it possible for more projects to be built on salsa.debian.org (including large projects and those from the OCaml ecosystem), etc. See the different issues being fixed in the MR description.

Debian 13 “trixie” release, by Emilio Pozuelo Monfort

On August 9th, Debian 13 “trixie” was released, building on two years worth of updates and bug fixes from hundreds of developers. Emilio helped coordinate the release, communicating with several teams involved in the process.

DebConf 26 Site Visit, by Stefano Rivera

Stefano visited Santa Fe, Argentina, the site for DebConf 26 next year. The aim of the visit was to help build a local team and see the conference venue first-hand. Stefano and Nattie represented the DebConf Committee. The local team organized Debian meetups in Buenos Aires and Santa Fe, where Stefano presented a talk on Debian and DebConf. Venues were scouted and the team met with the university management and local authorities.

Miscellaneous contributions

Raphaël updated tracker.debian.org after the “trixie” release to add the new “forky” release in the set of monitored distributions. He also reviewed and deployed the work of Scott Talbert showing open merge requests from salsa in the “action needed” panel.
Raphaël reviewed some DEP-3 changes to modernize the embedded examples in light of the broad git adoption.
Raphaël configured new workflows on debusine.debian.net to upload to “trixie” and trixie-security, and officially announced the service on debian-devel-announce, inviting Debian developers to try the service for their next upload to unstable.
Carles created a merge request for django-compressor upstream to fix an error when concurrent node processing happened. This will allow removing a workaround added in openstack-dashboard and avoid the same bug in other projects that use django-compressor.
Carles prepared a system to detect packages that Recommends packages which don’t exist in unstable. Processed (either reported or ignored due to mis-detected problems or temporary problems) 16% of the reports. Will continue next month.
Carles got familiar and gave feedback for the freedict-wikdict package. Planned contributions with the maintainer to improve the package.
Helmut responded to queries related to /usr-move.
Helmut adapted crossqa.d.n to the release of “trixie”.
Helmut diagnosed sufficient failures in rebootstrap to make it work with gcc-15.
Helmut fixed the CI pipeline of debvm.
Helmut sent patches for 19 cross build problems.
Faidon discovered that the Multi-Arch hinter would emit confusing hints about :any annotations. Helmut identified the root cause to be the handling of virtual packages and fixed it.
Enrico took some dust off python-debiancontributors and prototyped a receiving end for salsa webpings, to start followup work to contributors.debian.org discussions at DebConf25.
Colin upgraded about 70 Python packages to new upstream versions, which is around 10% of the backlog; this included a complicated Pydantic upgrade in collaboration with the Rust team.
Colin fixed a bug in debbugs that caused incoming emails to bugs.debian.org with certain header contents to go missing.
Thorsten uploaded sane-airscan, which was already in experimental, to unstable.
Thorsten created a script to automate the upload of new upstream versions of foomatic-db. The database contains information about printers and regularly gets an update. Now it is possible to keep the package more up to date in Debian.
Stefano prepared updates to almost all of his packages that had new versions waiting to upload to unstable. (beautifulsoup4, hatch-vcs, mkdocs-macros-plugin, pypy3, python-authlib, python-cffi, python-mitogen, python-pip, python-pipx, python-progress, python-truststore, python-virtualenv, re2, snowball, soupsieve).
Stefano uploaded two new python3.13 point releases to unstable.
Stefano updated distro-info-data in stable releases, to document the “trixie” release and expected EoL dates.
Stefano did some debian.social sysadmin work (keeping up quotas with growing databases and filesystems).
Stefano supported the Debian treasurers in processing some of the DebConf 25 reimbursements.
Lucas uploaded ruby3.4 to experimental. It was already approved by FTP masters.
Lucas uploaded ruby-defaults to experimental to add support for ruby3.4. It will allow us to start triggering test rebuilds and catch any FTBFS with ruby3.4.
Lucas did some administrative work for Google Summer of Code (GSoC) and replied to some queries from mentors and students.
Anupa helped to organize release parties for Debian 13 and Debian Day events.
Anupa did the live coverage for the Debian 13 release and prepared the Bits post for the release announcement and 32nd Debian Day as part of the Debian Publicity team.
Anupa attended a Debian Day event organized by FOSS club SSET as a speaker.

Monthly report about Debian Long Term Support, August 2025 (by Roberto C. Sánchez)

Roberto C. Sánchez — Thu, 11 Sep 2025 00:00:00 +0000

Like each month, have a look at the work funded by Freexian’s Debian LTS offering.

Debian LTS contributors

In August, 21 contributors have been paid to work on Debian LTS, their reports are available:

Abhijith PA did 10.0h (out of 0.0h assigned and 14.0h from previous period), thus carrying over 4.0h to the next month.
Andrej Shadura did 12.0h (out of 9.0h assigned and 3.0h from previous period).
Bastien Roucariès did 20.0h (out of 19.75h assigned and 0.25h from previous period).
Ben Hutchings did 22.75h (out of 16.5h assigned and 6.25h from previous period).
Carlos Henrique Lima Melara did 10.0h (out of 10.0h assigned).
Chris Lamb did 18.0h (out of 18.0h assigned).
Daniel Leidert did 23.25h (out of 23.25h assigned).
Emilio Pozuelo Monfort did 23.25h (out of 23.25h assigned).
Guilhem Moulin did 15.0h (out of 15.0h assigned).
Jochen Sprickerhof did 11.0h (out of 6.0h assigned and 16.75h from previous period), thus carrying over 11.75h to the next month.
Lee Garrett did 16.25h (out of 0.0h assigned and 16.25h from previous period).
Lucas Kanashiro did 20.0h (out of 1.25h assigned and 18.75h from previous period).
Markus Koschany did 5.0h (out of 13.0h assigned and 9.75h from previous period), thus carrying over 17.75h to the next month.
Paride Legovini did 8.0h (out of 0.0h assigned and 8.0h from previous period).
Roberto C. Sánchez did 7.5h (out of 11.75h assigned and 11.0h from previous period), thus carrying over 15.25h to the next month.
Santiago Ruano Rincón did 13.5h (out of 7.25h assigned and 7.75h from previous period), thus carrying over 1.5h to the next month.
Stefano Rivera did 0.5h (out of 0.0h assigned and 3.0h from previous period), thus carrying over 2.5h to the next month.
Sylvain Beucler did 10.0h (out of 23.25h assigned), thus carrying over 13.25h to the next month.
Thorsten Alteholz did 22.75h (out of 22.75h assigned).
Tobias Frost did 4.0h (out of 0.0h assigned and 12.0h from previous period), thus carrying over 8.0h to the next month.
Utkarsh Gupta did 16.0h (out of 22.75h assigned), thus carrying over 6.75h to the next month.

Evolution of the situation

In August, we released 27 DLAs.

The month of August marked the release of Debian 13 (codename “trixie”). This is worth noting because it brought with it the return of the customary fast development pace of Debian unstable, which included several contributions from LTS Team members. More on that below.

Of the many security updates which were published (and a few non-security updates as well), some notable ones are highlighted here.

Notable security updates:
- gnutls28 prepared by Adrian Bunk, fixes several potential denial of service vulnerabilities
- apache2, prepared by Bastien Roucariès, fixes several vulnerabilities including a potential denial of service and SSL/TLS-related access control
- mbedtls (original update, regression update) prepared by Andrej Shadura, fixes several potential denial of service and information disclosure vulnerabilities
- openjdk-17, prepared by Emilio Pozuelo Monfort, fixes several vulnerabilities which could result in denial of service, information disclosure or weakened TLS connections
Notable non-security updates:
- distro-info-data, prepared by Stefano Rivera, adds information concerning future Debian and Ubuntu releases
- ca-certificates-java, prepared by Bastien Roucariès, fixes some bugs which could disrupt future updates

The LTS Team continues to welcome the collaboration of maintainers from across the Debian community. The contributions of maintainers from outside the LTS Team include: postgresql-13 (Christoph Berg), sope (Jordi Mallach), thunderbird (Carsten Schoenert), and iperf3 (Roberto Lumbreras).

Finally, LTS Team members also contributed updates of the following packages:

redis (to stable), prepared by Chris Lamb
firebird3.0 (to oldstable and stable), prepared by Adrian Bunk
node-tmp (to oldstable, stable, and unstable), prepared by Adrian Bunk
openjpeg2 (to oldstable, stable, and unstable), prepared by Adrian Bunk
apache2 (to oldstable), prepared by Bastien Roucariès
unbound (to oldstable), prepared by Guilhem Moulin
luajit (to oldstable), prepared by Guilhem Moulin
golang-github-gin-contrib-cors (to oldstable and stable), prepared by Thorsten Alteholz
libcoap3 (to stable), prepared by Thorsten Alteholz
libcommons-lang-java and libcommons-lang3-java (both to unstable), prepared by Daniel Leidert
python-flask-cors (to oldstable), prepared by Daniel Leidert

The LTS Team would especially like to thank our many longtime friends and sponsors for their support and collaboration.

Thanks to our sponsors

Sponsors that joined recently are in bold.

Platinum sponsors:
- Toshiba Corporation (for 119 months)
- Civil Infrastructure Platform (CIP) (for 87 months)
- VyOS Inc (for 51 months)
Gold sponsors:
- F. Hoffmann-La Roche AG (for 129 months)
- Akamai - Linode (for 123 months)
- Babiel GmbH (for 113 months)
- Plat’Home (for 112 months)
- University of Oxford (for 69 months)
- Deveryware (for 56 months)
- EDF SA (for 41 months)
- Dataport AöR (for 16 months)
- CERN (for 14 months)
Silver sponsors:
- Domeneshop AS (for 134 months)
- Nantes Métropole (for 128 months)
- Univention GmbH (for 120 months)
- Université Jean Monnet de St Etienne (for 120 months)
- Ribbon Communications, Inc. (for 114 months)
- Exonet B.V. (for 103 months)
- Leibniz Rechenzentrum (for 98 months)
- Ministère de l’Europe et des Affaires Étrangères (for 81 months)
- Cloudways by DigitalOcean (for 71 months)
- Dinahosting SL (for 69 months)
- Platform.sh SAS (for 63 months)
- Moxa Inc. (for 57 months)
- sipgate GmbH (for 55 months)
- OVH US LLC (for 53 months)
- Tilburg University (for 53 months)
- GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 44 months)
- THINline s.r.o. (for 17 months)
- Copenhagen Airports A/S (for 11 months)
Bronze sponsors:
- Evolix (for 134 months)
- Seznam.cz, a.s. (for 134 months)
- Intevation GmbH (for 131 months)
- Linuxhotel GmbH (for 131 months)
- Daevel SARL (for 130 months)
- Megaspace Internet Services GmbH (for 129 months)
- Greenbone AG (for 128 months)
- NUMLOG (for 128 months)
- WinGo AG (for 127 months)
- Entr’ouvert (for 118 months)
- Adfinis AG (for 116 months)
- Tesorion (for 111 months)
- Laboratoire LEGI - UMR 5519 / CNRS (for 110 months)
- Bearstech (for 102 months)
- LiHAS (for 102 months)
- Catalyst IT Ltd (for 97 months)
- Demarcq SAS (for 91 months)
- Université Grenoble Alpes (for 77 months)
- TouchWeb SAS (for 69 months)
- SPiN AG (for 66 months)
- CoreFiling (for 62 months)
- Institut des sciences cognitives Marc Jeannerod (for 57 months)
- Observatoire des Sciences de l’Univers de Grenoble (for 53 months)
- Tem Innovations GmbH (for 48 months)
- WordFinder.pro (for 47 months)
- CNRS DT INSU Résif (for 46 months)
- Soliton Systems K.K. (for 41 months)
- Alter Way (for 39 months)
- Institut Camille Jordan (for 29 months)
- SOBIS Software GmbH (for 14 months)
- Tuxera Inc. (for 5 months)

ELA-1511-1 clamav security update (by )

Thu, 04 Sep 2025 15:05:45 -0300

Package : clamav

Version : 1.0.9+dfsg-1~deb9u1 (stretch), 1.0.9+dfsg-1~deb10u1 (buster)

Related CVEs : CVE-2025-20128 CVE-2025-20260

A couple of vulnerabilities have been fixed in ClamAV, an anti-virus utility for Unix, in this new upstream stable release.

CVE-2025-20128

The Object Linking and Embedding 2 (OLE2) decryption routine of ClamAV
could allow an unauthenticated, remote attacker to cause a denial of service
(DoS) condition on an affected device.

CVE-2025-20260

The PDF scanning processes of ClamAV could allow an unauthenticated, remote
attacker to cause a buffer overflow condition, cause a denial of service (DoS)
condition, or execute arbitrary code on an affected device.

ELA-1510-1 libcommons-lang-java security update (by )

Sun, 31 Aug 2025 18:29:17 +0200

Package : libcommons-lang-java

Version : 2.6-6+deb9u1 (stretch), 2.6-8+deb10u1 (buster)

Related CVEs : CVE-2025-48924

A vulnerability was discovered in Apache Commons Lang utility classes, a Java API for classes that are in java.lang’s hierarchy.

CVE-2025-48924

An uncontrolled recursion vulnerability was discovered in Apache Commons
Lang. The method ClassUtils.getClass() can throw a StackOverflowError
on very long inputs.

ELA-1509-1 apache2 security update (by )

Sat, 30 Aug 2025 23:15:51 +0200

Package : apache2

Version : 2.4.25-3+deb9u21 (stretch)

Multiple vulnerabilities have been addressed in Apache, a widely used web server.

Please note that the fix for CVE-2025-23048, included in this ELA, may cause some SSL-enabled websites to encounter the error AH02032. Additional details are provided at the end of this advisory.

CVE-2024-42516

HTTP response splitting in the core of Apache HTTP Server allows an
attacker who can manipulate the Content-Type response headers of
applications hosted or proxied by the server can split the HTTP response

CVE-2024-43204

A SSRF (Server Side Request Forgery) was found in Apache HTTP Server
with mod_proxy loaded allows an attacker to
send outbound proxy requests to a URL controlled by the attacker.
This attack requires an unlikely configuration where mod_headers
is configured to modify the Content-Type request or response header with a
value provided in the HTTP request

CVE-2024-43394

A Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows
allows to potentially leak NTLM hashes to a malicious server via  mod_rewrite
or apache expressions that pass unvalidated request input.

CVE-2024-47252

Insufficient escaping of user-supplied data in mod_ssl allows an untrusted
SSL/TLS client to insert escape characters into log files in some
configurations. In a logging configuration where CustomLog is used with
"%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as
SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and
unsanitized data provided by the client may appear in log files.

CVE-2025-23048

An access control bypass by trusted clients is possible using TLS 1.3
session resumption. Configurations are affected when mod_ssl is
configured for multiple virtual hosts, with each restricted to a
different set of trusted client certificates
(for example with a different SSLCACertificateFile/Path setting).
In such a case, a client trusted to access one virtual host may be able to
access another virtual host, if SSLStrictSNIVHostCheck is not enabled
in either virtual host.

CVE-2025-49630

In certain proxy configurations, a denial of service attack against
Apache HTTP Server can be triggered by untrusted clients causing
an assertion in mod_proxy_http2. Configurations affected are a
reverse proxy is configured for an HTTP/2 backend, with
ProxyPreserveHost set to "on".

CVE-2025-49812

In some mod_ssl configurations on Apache HTTP server, an HTTP
desynchronisation attack allows a man-in-the-middle attacker
to hijack an HTTP session via a TLS upgrade. Only configurations
using "SSLEngine optional" to enable TLS upgrades are affected.
Support for TLS upgrade was removed.

CVE-2025-53020

A late Release of Memory after Effective Lifetime vulnerability
was found in Apache HTTP Server.

Note that following the resolution of CVE-2025-23048, some SSL-enabled websites may begin encountering the error (AH02032):

Misdirected Request:
The client needs a new connection for this request as the
requested host name does not match the Server Name Indication
(SNI) in use for this connection.

This behavior is particularly noticeable with AWS Application Load Balancers. Although they support intelligent SNI handling, they do not (as of this writing) relay SNI data to the target server, resulting in failed connections when hostnames don’t align.

Without an SNI provided by the client, there is nothing httpd can do to determine which vhost/configuration should be used to provide the correct certificate (and TLS authentication eventually) whenever multiple vhosts listen on the same IP:port.

That’s because reading the HTTP Host header necessarily has to happen after the TLS handshake/auth/decryption (and later renegotiation is not an option with TLSv1.3).

So those connections fall back to the first vhost declared on the IP:port for the TLS handshake part, and if the request Host header finally matches a different vhost with a different TLS configuration it’s rejected with AH02032.

Before 2.4.64 (or this backport) the check was not accurate and would allow that, with security implications.

As a workaround, you may (after a risk analysis) generate a wildcard certificate. If you’re managing multiple domains, consolidate them into a single certificate by including each wildcard domain as an alias. Then, update the Apache configuration to reference this unified certificate.

Another possible workaround is to configure each virtual host to listen on a separate port. This approach avoids SNI-related issues by ensuring that each vhost is uniquely addressed through its own connection endpoint, thereby allowing distinct TLS configurations without ambiguity.

This error may also stem from a misconfigured HAProxy setup. In such cases, enabling dynamic SNI handling on HAProxy might be necessary to ensure that the correct hostname is passed through during the TLS handshake. After risk analysis, it could be done by using “sni req.hdr(Host)” directive.

This error may also be caused by a misconfigured Nginx proxy setup. In such scenarios, enabling Server Name Indication (SNI) when connecting to the backend may be necessary to ensure that the correct hostname is transmitted during the TLS handshake. After conducting a risk analysis, this can be achieved by configuring the “proxy_ssl_server_name on;” and “proxy_ssl_name $host;” directives.

ELA-1508-1 udisks2 security update (by )

Fri, 29 Aug 2025 15:57:52 +0200

Package : udisks2

Version : 2.1.8-1+deb9u2 (stretch), 2.8.1-4+deb10u4 (buster)

Related CVEs : CVE-2025-8067

Michael Imfeld discovered an out-of-bounds read vulnerability in udisks2, which may result in denial of service (daemon process crash), or in mapping an internal file descriptor from the daemon process onto a loop device, resulting in local privilege escalation.

ELA-1507-1 luajit security update (by )

Tue, 26 Aug 2025 00:06:48 +0200

Package : luajit

Version : 2.1.0~beta3+dfsg-5.1+deb10u1 (buster)

CVE-2019-19391

It was discovered that debug.getinfo() has a type confusion issue that leads to arbitrary memory write or read operations, because certain cases involving valid stack levels and > options are mishandled.

Note: The LuaJIT project owner disputes the vulnerability and states that the debug library is unsafe by design.

CVE-2020-15890

Yongheng Chen discovered an out-of-bounds read because __gc handler frame traversal is mishandled.

CVE-2020-24372

Yongheng Chen discovered out-of-bounds read in lj_err_run().

CVE-2024-25176

Kutyavin Maxim discovered a stack-buffer-overflow in lj_strfmt_wfnum().

CVE-2024-25177

Kutyavin Maxim discovered an unsinking of IR_FSTORE for NULL metatable.

CVE-2024-25178

Kutyavin Maxim discovered an out-of-bounds read in the stack-overflow handler.

ELA-1506-1 firebird3.0 security update (by )

Mon, 25 Aug 2025 15:34:46 +0300

Package : firebird3.0

Version : 3.0.5.33100.ds4-2+deb10u1 (buster)

Related CVEs : CVE-2025-54989

An XDR message parsing NULL pointer dereference has been fixed in the Firebird database.

ELA-1505-1 iperf3 security update (by )

Sun, 24 Aug 2025 23:53:45 +0300

Package : iperf3

Version : 3.9-1+deb11u3~deb9u1 (stretch), 3.9-1+deb11u3~deb10u1 (buster)

Related CVEs : CVE-2025-54349 CVE-2025-54350

Two vulnerabilities have been fixed in the IP bandwidth measuring tool iperf3.

CVE-2025-54349

heap buffer overflow

CVE-2025-54350

reachable assert

ELA-1504-1 unbound1.9 security update (by )

Sun, 24 Aug 2025 22:51:14 +0200

Package : unbound1.9

Version : 1.9.0-2+deb10u2~deb9u6 (stretch)

CVE-2025-5994

Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies.

Unbound now includes a fix that disregards replies that came back without ECS when ECS was expected.

CVE-2024-33655

The DNSBomb attack, via specially timed DNS queries and answers, can cause a Denial of Service on resolvers and spoofed targets.

While Unbound itself is not vulnerable for DoS, it can be used to take part in a pulsing DoS amplification attack.

Configuration options have been added to help mitigate the impact by trying to shrink the DNSBomb window so that the impact of the DoS from Unbound is significantly lower than it used to be:

discard-timeout (default value: 1900): After 1900 ms a reply to the client will be dropped. Unbound would still work on the query but refrain from replying in order to not accumulate a huge number of “old” replies. Legitimate clients retry on timeouts.
wait-limit (default value: 1000): Limits the amount of client queries that require recursion (cache-hits are not counted) per IP address. More recursive queries than the allowed limit are dropped. Use `wait-limit: 0` in order to disable all wait limits.
wait-limit-netblock: These do not have a default value but they can fine grain configuration for specific netblocks.

CVE-2019-18934

Shell code injection vulnerability after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with --enable-ipsecmod support, and ipsecmod is enabled and used in the configuration.

Debian binary packages are not built with --enable-ipsecmod, and therefore unaffected. Still, the fix is included in the source package for users building their own packages.

In addition, this version includes follow-up upstream fixes and improvements for CVE-2024-43167.

ELA-1503-1 unbound security update (by )

Sun, 24 Aug 2025 22:50:14 +0200

Package : unbound

Version : 1.9.0-2+deb10u6 (buster)

CVE-2025-5994

Unbound now includes a fix that disregards replies that came back without ECS when ECS was expected.

CVE-2024-33655

The DNSBomb attack, via specially timed DNS queries and answers, can cause a Denial of Service on resolvers and spoofed targets.

While Unbound itself is not vulnerable for DoS, it can be used to take part in a pulsing DoS amplification attack.

Configuration options have been added to help mitigate the impact by trying to shrink the DNSBomb window so that the impact of the DoS from Unbound is significantly lower than it used to be:

discard-timeout (default value: 1900): After 1900 ms a reply to the client will be dropped. Unbound would still work on the query but refrain from replying in order to not accumulate a huge number of “old” replies. Legitimate clients retry on timeouts.
wait-limit (default value: 1000): Limits the amount of client queries that require recursion (cache-hits are not counted) per IP address. More recursive queries than the allowed limit are dropped. Use `wait-limit: 0` in order to disable all wait limits.
wait-limit-netblock: These do not have a default value but they can fine grain configuration for specific netblocks.

CVE-2019-25031

Configuration injection in create_unbound_ad_servers.sh upon a successful man-in-the-middle attack against a cleartext HTTP session.

CVE-2019-25032

Integer overflow in the regional allocator via regional_alloc.

CVE-2019-25033

Integer overflow in the regional allocator via the ALIGN_UP macro.

CVE-2019-25034

Integer overflow in sldns_str2wire_dname_buf_origin() leading to an out-of-bounds write.

CVE-2019-25035

Out-of-bounds write in sldns_bget_token_par().

CVE-2019-25036

Assertion failure and denial of service in synth_cname().

CVE-2019-25037

Assertion failure and denial of service in dname_pkt_copy() via an invalid packet.

CVE-2019-25038

Integer overflow in a size calculation in dnscrypt/dnscrypt.c.

CVE-2019-25039

Integer overflow in a size calculation in respip/respip.c.

CVE-2019-25040

Infinite loop via a compressed name in dname_pkt_copy().

CVE-2019-25041

Assertion failure via a compressed name in dname_pkt_copy().

CVE-2019-25042

Out-of-bounds write via a compressed name in rdata_copy().

CVE-2019-18934

Debian binary packages are not built with --enable-ipsecmod, and therefore unaffected. Still, the fix is included in the source package for users building their own packages.

In addition, this version includes follow-up upstream fixes and improvements for CVE-2024-43167.

ELA-1502-1 apache2 security update (by )

Fri, 22 Aug 2025 00:29:27 +0200

Package : apache2

Version : 2.4.59-1~deb10u5 (buster)

Multiple vulnerabilities have been addressed in Apache, a widely used web server.

Please note that the fix for CVE-2025-23048, included in this ELA, may cause some SSL-enabled websites to encounter the error AH02032. Additional details are provided at the end of this advisory.

CVE-2024-42516

HTTP response splitting in the core of Apache HTTP Server allows an
attacker who can manipulate the Content-Type response headers of
applications hosted or proxied by the server can split the HTTP response

CVE-2024-43204

A SSRF (Server Side Request Forgery) was found in Apache HTTP Server
with mod_proxy loaded allows an attacker to
send outbound proxy requests to a URL controlled by the attacker.
This attack requires an unlikely configuration where mod_headers
is configured to modify the Content-Type request or response header with a
value provided in the HTTP request

CVE-2024-43394

A Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows
allows to potentially leak NTLM hashes to a malicious server via  mod_rewrite
or apache expressions that pass unvalidated request input.

CVE-2024-47252

Insufficient escaping of user-supplied data in mod_ssl allows an untrusted
SSL/TLS client to insert escape characters into log files in some
configurations. In a logging configuration where CustomLog is used with
"%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as
SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and
unsanitized data provided by the client may appear in log files.

CVE-2025-23048

An access control bypass by trusted clients is possible using TLS 1.3
session resumption. Configurations are affected when mod_ssl is
configured for multiple virtual hosts, with each restricted to a
different set of trusted client certificates
(for example with a different SSLCACertificateFile/Path setting).
In such a case, a client trusted to access one virtual host may be able to
access another virtual host, if SSLStrictSNIVHostCheck is not enabled
in either virtual host.

CVE-2025-49630

In certain proxy configurations, a denial of service attack against
Apache HTTP Server can be triggered by untrusted clients causing
an assertion in mod_proxy_http2. Configurations affected are a
reverse proxy is configured for an HTTP/2 backend, with
ProxyPreserveHost set to "on".

CVE-2025-49812

In some mod_ssl configurations on Apache HTTP server, an HTTP
desynchronisation attack allows a man-in-the-middle attacker
to hijack an HTTP session via a TLS upgrade. Only configurations
using "SSLEngine optional" to enable TLS upgrades are affected.
Support for TLS upgrade was removed.

CVE-2025-53020

A late Release of Memory after Effective Lifetime vulnerability
was found in Apache HTTP Server.

Note that following the resolution of CVE-2025-23048, some SSL-enabled websites may begin encountering the error (AH02032):

Misdirected Request:
The client needs a new connection for this request as the
requested host name does not match the Server Name Indication
(SNI) in use for this connection.

That’s because reading the HTTP Host header necessarily has to happen after the TLS handshake/auth/decryption (and later renegotiation is not an option with TLSv1.3).

Before 2.4.64 (or this backport) the check was not accurate and would allow that, with security implications.

ELA-1501-1 mariadb-10.3 security update (by )

Sat, 16 Aug 2025 11:15:06 +0200

Package : mariadb-10.3

Version : 1:10.3.39-0+deb10u4 (buster)

Multiple vulnerabilities were fixed in MariaDB 10.3, a popular database engine.

CVE-2023-52968

A Denial Of Service (DoS) was found in MariaDB. MariaDB server may call
fix_fields_if_needed under mysql_derived_prepare when derived is not yet
prepared, leading to a find_field_in_table crash.

CVE-2023-52969

MariaDB may crash with an empty backtrace log. This may be related
to make_aggr_tables_info and optimize_stage2.

CVE-2023-52968

MariaDB may crash in Item_direct_view_ref::derived_field_transformer_for_where.

ELA-1500-1 dns-root-data DNSSEC trust anchors update (by )

Fri, 15 Aug 2025 09:53:16 +0200

Package : dns-root-data

Version : 2024071801~deb9u1 (stretch), 2024071801~deb10u1 (buster)

The dns-root-data package contains DNS root zone data as published by IANA to be used as initial source by DNS software. This release adds the DNSKEY record for the KSK-2024 trust anchor. This new key is planned for use starting October 2026, and the previous one (KSK-2017) should be revoked January 2027, leaving time to propagate the new trust anchor, or roll to it sooner in case of emergency.

Monthly report about Debian Long Term Support, July 2025 (by Roberto C. Sánchez)

Roberto C. Sánchez — Fri, 15 Aug 2025 00:00:00 +0000

Like each month, have a look at the work funded by Freexian’s Debian LTS offering.

Debian LTS contributors

In July, 17 contributors have been paid to work on Debian LTS, their reports are available:

Adrian Bunk did 19.0h (out of 19.0h assigned).
Andrej Shadura did 5.0h (out of 0.0h assigned and 8.0h from previous period), thus carrying over 3.0h to the next month.
Bastien Roucariès did 18.5h (out of 18.75h assigned), thus carrying over 0.25h to the next month.
Ben Hutchings did 12.5h (out of 3.25h assigned and 15.5h from previous period), thus carrying over 6.25h to the next month.
Carlos Henrique Lima Melara did 10.0h (out of 10.0h assigned).
Chris Lamb did 18.0h (out of 18.0h assigned).
Daniel Leidert did 18.75h (out of 17.25h assigned and 1.5h from previous period).
Emilio Pozuelo Monfort did 18.75h (out of 18.75h assigned).
Guilhem Moulin did 15.0h (out of 14.0h assigned and 1.0h from previous period).
Jochen Sprickerhof did 2.0h (out of 16.5h assigned and 2.25h from previous period), thus carrying over 16.75h to the next month.
Lee Garrett did 7.0h (out of 0.0h assigned and 23.25h from previous period), thus carrying over 16.25h to the next month.
Markus Koschany did 9.0h (out of 18.75h assigned), thus carrying over 9.75h to the next month.
Roberto C. Sánchez did 10.25h (out of 18.5h assigned and 2.75h from previous period), thus carrying over 11.0h to the next month.
Santiago Ruano Rincón did 7.25h (out of 12.75h assigned and 2.25h from previous period), thus carrying over 7.75h to the next month.
Sylvain Beucler did 18.75h (out of 18.75h assigned).
Thorsten Alteholz did 15.0h (out of 15.0h assigned).
Utkarsh Gupta did 15.0h (out of 1.0h assigned and 14.0h from previous period).

Evolution of the situation

In July, we released 24 DLAs.

Notable security updates:
- angular.js, prepared by Bastien Roucariès, fixes multiple vulnerabilities including input sanitization and potential regular expression denial of service (ReDoS)
- tomcat9, prepared by Markus Koschany, fixes an assortment of vulnerabilities
- mediawiki, prepared by Guilhem Moulin, fixes several information disclosure and privilege escalation vulnerabilities
- php7.4, prepared by Guilhem Moulin, fixes several server side request forgery and denial of service vulnerabilities

This month’s contributions from outside the regular team include an update to thunderbird, prepared by Christoph Goehre (the package maintainer).

LTS Team members also contributed updates of the following packages:

commons-beanutils (to stable and unstable), prepared by Adrian Bunk
djvulibre (to oldstable, stable, and unstable), prepared by Adrian Bunk
git (to stable), prepared by Adrian Bunk
redis (to oldstable), prepared by Chris Lamb
libxml2 (to oldstable), prepared by Guilhem Moulin
commons-vfs (to oldstable), prepared by Daniel Leidert

Additionally, LTS Team member Santiago Ruano Rincón proposed and implemented an improvement to the debian-security-support package. This package is available so that interested users can quickly determine if any installed packages are subject to limited security support or are excluded entirely from security support. However, there was not previously a way to identify explicitly supported packages, which has become necessary to note exceptions to broad exclusion policies (e.g., those which apply to substantial package groups, like modules belonging to the Go and Rust language ecosystems). Santiago’s work has enabled the notation of exceptions to these exclusions, thus ensuring that users of debian-security-support have accurate status information concerning installed packages.

DebCamp 25 Security Tracker Sprint

The previously announced security tracker sprint took place at DebCamp from 7-13 July. Participants included 8 members of the standing LTS Team, 2 active Debian Developers with an interest in LTS, 3 community members, and 1 member of the Debian Security Team (who provided guidance and reviews on proposed changes to the security tracker); participation was a mix of in person at the venue in Brest, France and remote. During the days of the sprint, the team tackled a wide range of bugs and improvements, mostly targeting the security tracker.

The sprint participants worked on the following items:

Completed during the sprint:
- Implementation of a resource which provides an alternate view of the CVE history contained in the main security tracker
- Implementation of a feature which identifies CVEs that have been fixed via a DLA but which remain unfixed in more recent releases (associated tests are still a work in progress)
- A minor bug fix to the LTS Team’s CVE triage tooling
- Removal of some dead code
Still in progress as of the end of the sprint:
- Proposed implementation of support for vulnerabilities that don’t affect the binaries (only in the sources)
- Proposed implementation of support for tracking uploads to proposed-updates
- Continued work (which was in progress prior to the sprint) on tooling to export security tracker data in CSAF and VEX formats
- Proposed implementation of visual distinction between vulnerable/unimportant/ignored CVEs
- Proposed implementation of support for identifying CVEs that have been fixed in older and newer releases but which remain unfixed in LTS
- Proposed implementation of tooling that checks the consistency of the list of CVEs associated with a specific security update which is being prepared
- Draft documentation of the security tracker’s JSON data export schema
- Proposed clean-up of inconsistent historical entries in the DSA index
- Proposed improvement to how the security tracker handles requests for non-existent resources
- Proposed bug fix for inconsistencies in the security tracker JSON data export
- Proposed improvement to more accurate display of CVE states that are currently all shown as “fixed” (1 2)
- Proposed bug fix for turning URLs from text into clickable links
- A minor bug fix to the security tracker’s linkage to Ubuntu security resources
- Proposed implementation of the ability to identify CVEs for re-triage by the LTS Team
- Continued work (which was in progress prior to the sprint) on improved tooling to support security releases of packages from language ecosystems that rely heavily on static linking

As can be seen from the above list, only a small number of changes were brought to completion during the sprint week itself. Given the very compressed timeframe involved, the broad scope of tasks which were under consideration, and the highly sensitive data managed by the security tracker, this is not entirely unexpected and in no way diminishes the great work done by the sprint participants. The LTS Team would especially like to thank Salvatore Bonaccorso of the Debian Security Team for making himself available throughout the sprint to answer questions, for providing guidance on the work, and for helping the work by reviewing and merging the MRs which were able to merged during the sprint itself.

In the weeks that follow the sprint, the team will continue working towards completing the in progress items.

Thanks to our sponsors

Sponsors that joined recently are in bold.

Platinum sponsors:
- Toshiba Corporation (for 118 months)
- Civil Infrastructure Platform (CIP) (for 86 months)
- VyOS Inc (for 50 months)
Gold sponsors:
- Roche Diagnostics International AG (for 128 months)
- Akamai - Linode (for 123 months)
- Babiel GmbH (for 112 months)
- Plat’Home (for 111 months)
- University of Oxford (for 68 months)
- Deveryware (for 55 months)
- EDF SA (for 40 months)
- Dataport AöR (for 15 months)
- CERN (for 13 months)
Silver sponsors:
- Domeneshop AS (for 133 months)
- Nantes Métropole (for 127 months)
- Univention GmbH (for 119 months)
- Université Jean Monnet de St Etienne (for 119 months)
- Ribbon Communications, Inc. (for 113 months)
- Exonet B.V. (for 103 months)
- Leibniz Rechenzentrum (for 97 months)
- Ministère de l’Europe et des Affaires Étrangères (for 81 months)
- Cloudways by DigitalOcean (for 70 months)
- Dinahosting SL (for 68 months)
- Platform.sh SAS (for 62 months)
- Moxa Inc. (for 56 months)
- sipgate GmbH (for 54 months)
- OVH US LLC (for 52 months)
- Tilburg University (for 52 months)
- GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 43 months)
- THINline s.r.o. (for 16 months)
- Copenhagen Airports A/S (for 10 months)
Bronze sponsors:
- Evolix (for 133 months)
- Seznam.cz, a.s. (for 133 months)
- Intevation GmbH (for 130 months)
- Linuxhotel GmbH (for 130 months)
- Daevel SARL (for 129 months)
- Megaspace Internet Services GmbH (for 128 months)
- Greenbone AG (for 127 months)
- NUMLOG (for 127 months)
- WinGo AG (for 126 months)
- Entr’ouvert (for 118 months)
- Adfinis AG (for 115 months)
- Laboratoire LEGI - UMR 5519 / CNRS (for 110 months)
- Tesorion (for 110 months)
- Bearstech (for 101 months)
- LiHAS (for 101 months)
- Catalyst IT Ltd (for 96 months)
- Demarcq SAS (for 90 months)
- Université Grenoble Alpes (for 76 months)
- TouchWeb SAS (for 68 months)
- SPiN AG (for 65 months)
- CoreFiling (for 61 months)
- Institut des sciences cognitives Marc Jeannerod (for 56 months)
- Observatoire des Sciences de l’Univers de Grenoble (for 52 months)
- Tem Innovations GmbH (for 47 months)
- WordFinder.pro (for 47 months)
- CNRS DT INSU Résif (for 45 months)
- Soliton Systems K.K. (for 41 months)
- Alter Way (for 38 months)
- Institut Camille Jordan (for 28 months)
- SOBIS Software GmbH (for 13 months)
- Tuxera Inc. (for 4 months)

ELA-1499-1 aide security update (by )

Thu, 14 Aug 2025 17:33:31 +0200

Package : aide

Version : 0.16.1-1+deb10u2 (buster)

Related CVEs : CVE-2025-54409

Rajesh Pangare discovered a vulnerability in aide, an advanced intrusion detection system. A local attacker can take advantage of these flaws to crash aide during report printing.

Debian Contributions: DebConf 25, OpenSSH upgrades, Cross compilation collaboration and more! (by Anupa Ann Joseph)

Anupa Ann Joseph — Tue, 12 Aug 2025 00:00:00 +0000

Debian Contributions: 2025-07

DebConf 25, by Stefano Rivera and Santiago Ruano Rincón

In July, DebConf 25 was held in Brest, France. Freexian was a gold sponsor and most of the Freexian team attended the event. Many fruitful discussions were had amongst our team and within the Debian community.

DebConf itself was organized by a local team in Brest, that included Santiago (who now lives in Uruguay). Stefano was also deeply involved in the organization, as a DebConf committee member, core video team, and the lead developer for the conference website. Running the conference took an enormous amount of work, consuming all of Stefano and Santiago’s time for most of July.

Lucas Kanashiro was active in the DebConf content team, reviewing talks and scheduling them. There were many last-minute changes to make during the event.

Anupa Ann Joseph was part of the Debian publicity team doing live coverage of DebConf 25 and was part of the DebConf 25 content team reviewing the talks. She also assisted the local team to procure the lanyards.

Recorded sessions presented by Freexian collaborators, often alongside other friends in Debian, included:

Welcome to Debconf 25! (Santiago, Anupa, and others)
Debian.net Team BoF (Stefano and others)
Publicity Team BoF (Anupa and others)
Using Debusine to pre-test your unstable uploads (Colin)
Reviving (un)schroot? (Helmut)
Debusine Workflow BoF (Enrico and Colin)
Debian LTS BoF (Lucas, Santiago, and others)
Meet the Technical Committee (Stefano, Helmut, and others)
Debian Python BoF (Stefano)
Cross building BoF (Helmut)
Debian Outreach Session (Lucas)
Meet the people behind Debian Artwork (Anupa and others)
debian.social BoF (Stefano and others)
DebConf Committee BoF (Stefano and others)
Salsa CI BoF (Santiago and others)
DebConf 27: In your city? (Stefano and others)
Closing Ceremony (Santiago and many others)

OpenSSH upgrades, by Colin Watson

Towards the end of a release cycle, people tend to do more upgrade testing, and this sometimes results in interesting problems. Manfred Stock reported “No new SSH connections possible during large part of upgrade to Debian Trixie”, which would have affected many people upgrading from Debian 12 (bookworm), with potentially severe consequences for people upgrading remote systems. In fact, there were two independent problems that each led to much the same symptom:

As part of hardening the OpenSSH server, OpenSSH 9.8 split the monolithic sshd listener process into two pieces: a minimal network listener (still called sshd), and an sshd-session process dealing with each individual session. Before this change, when sshd received an incoming connection, it forked and re-executed itself with some special parameters to deal with it; after this change, it forks and executes sshd-session instead, and sshd no longer accepts the parameters it used to accept for this.

Debian package upgrades happen (roughly) in two phases: first we unpack the new files onto disk, and then we run some configuration steps which usually include things like restarting services. Normally this is fine, because the old service keeps on working until it’s restarted. In this case, unpacking the new files onto disk immediately stopped new SSH connections from working: the old sshd received the connection and tried to hand it off to a freshly-executed copy of the new sshd binary on disk, which no longer supports this. This wasn’t much of a problem when upgrading OpenSSH on its own or with a small number of other packages, but in release upgrades it left a large gap when you can’t SSH to the system any more, and if anything fails in that interval then you could be in trouble.

After trying a couple of other approaches, Colin landed on the idea of having the openssh-server package divert /usr/sbin/sshd to /usr/sbin/sshd.session-split before the unpack step of an upgrade from before 9.8, then removing the diversion and moving the new file into place once it’s ready to restart the service. This reduces the period when new connections fail to a minimum.
Most OpenSSH processes, including sshd, check for a compatible version of the OpenSSL library when they start up. This check used to be very picky, among other things requiring both the major and minor part of the version number to match. OpenSSL 3 has a better versioning policy, and so OpenSSH 9.4p1 relaxed this check.

Unfortunately, bookworm shipped with OpenSSH 9.2p1, so as soon as you unpacked the new OpenSSL library during an upgrade, sshd stopped working. This couldn’t be fixed by a change in trixie; we needed to change bookworm in advance of the upgrade so that it would tolerate newer versions of OpenSSL, and time was tight if we wanted this to be available before the release of Debian 13.

Fortunately, there’s a stable-updates mechanism for exactly this sort of thing, and the stable release managers kindly accepted Colin’s proposal to fix this there.

The net result is that if you apply updates to bookworm (including stable-updates / bookworm-updates, which is enabled by default) before starting the upgrade to trixie, everything should be fine.

Cross compilation collaboration, by Helmut Grohne

Supporting cross building in Debian packages touches lots of areas of the archive and quite some of these matters reside in shared responsibility between different teams. Hence, DebConf was an ideal opportunity to settle long-standing issues.

Fortran: agreements reached on how to proceed (thanks to Alastair McKinstry)
Go: agreements reached on how to proceed (thanks to Mathias Gibbens)
Perl: fixed long-standing pkg-config interaction problem (thanks to gregor herrmann)
Python: no conclusion reached regarding dependency duplication (python3-dev:any, libpython3-dev) yet
Qt/KDE: found a way forward for kconf_update (thanks to Aurélien COUDERC)
Ruby: fixed problem affecting any ruby extension build (thanks to Lucas)

The cross building bof sparked lively discussions as a significant fraction of developers employ cross builds to get their work done. In the trixie release, about two thirds of the packages can satisfy their cross Build-Depends and about half of the packages actually can be cross built.

Miscellaneous contributions

Raphaël Hertzog updated tracker.debian.org to remove references to Debian 10 which was moved to archive.debian.org, and had many fruitful discussions related to Debusine during DebConf 25.
Carles Pina prepared some data, questions and information for the DebConf 25 l10n and i18n BoF.
Carles Pina demoed and discussed possible next steps for po-debconf-manager with different teams in DebConf 25. He also reviewed Catalan translations and sent them to the packages.
Carles Pina started investigating a django-compressor bug: reproduced the bug consistently and prepared a PR for django-compressor upstream (likely more details next month). Looked at packaging frictionless-py.
Stefano Rivera triaged Python CVEs against pypy3.
Stefano prepared an upload of a new upstream release of pypy3 to Debian experimental (due to the freeze).
Stefano uploaded python3.14 RC1 to Debian experimental.
Thorsten Alteholz uploaded a new upstream version of sane-airscan to experimental. He also started to work on a new upstream version of hplip.
Colin backported fixes for CVE-2025-50181 and CVE-2025-50182 in python-urllib3, and fixed several other release-critical or important bugs in Python team packages.
Lucas uploaded ruby3.4 to experimental as a starting point for the ruby-defaults transition that will happen after Trixie release.
Lucas coordinated with the Release team the fix of the remaining RC bugs involving ruby packages, and got them all fixed.
Lucas, as part of the Debian Ruby team, kicked off discussions to improve internal process/tooling.
Lucas, as part of the Debian Outreach team, engaged in multiple discussions around internship programs we run and also what else we could do to improve outreach in the Debian project.
Lucas joined the Local groups BoF during DebConf 25 and shared all the good experiences from the Brazilian community and committed to help to document everything to try to support other groups.
Helmut spent significant time with Samuel Thibault on improving architecture cross bootstrap for hurd-any mostly reviewing Samuel’s patches. He proposed a patch for improving bash’s detection of its pipesize and a change to dpkg-shlibdeps to improve behavior for building cross toolchains.
Helmut reiterated the multiarch policy proposal with a lot of help from Nattie Mayer-Hutchings, Rhonda D’Vine and Stuart Prescott.
Helmut finished his work on the process based unschroot prototype that was the main feature of his talk (see above).
Helmut analyzed a multiarch-related glibc upgrade failure induced by a /usr-move mitigation of systemd and sent a patch and regression fix both of which reached trixie in time. Thanks to Aurelien Jarno and the release team for their timely cooperation.
Helmut resurrected an earlier discussion about changing the semantics of Architecture: all packages in a multiarch context in order to improve the long-standing interpreter problem. With help from Tollef Fog Heen better semantics were discovered and agreement was reached with Guillem Jover and Julian Andres Klode to consider this change. The idea is to record a concrete architecture for every Architecture: all package in the dpkg database and enable choosing it as non-native.
Helmut implemented type hints for piuparts.
Helmut reviewed and improved a patch set of Jochen Sprickerhof for debvm.
Anupa was involved in discussions with the Debian Women team during DebConf 25.
Anupa started working for the trixie release coverage and started coordinating release parties.
Emilio helped coordinate the release of Debian 13 trixie.

ELA-1498-1 openjpeg2 security update (by )

Sun, 10 Aug 2025 18:15:20 +0300

Package : openjpeg2

Version : 2.3.0-2+deb10u4 (buster)

Related CVEs : CVE-2019-12973 CVE-2025-50952

Multiple vulnerabilities have been fixed in the JPEG 2000 image library OpenJPEG.

CVE-2019-12973

Excessive iterations in convertbmp

CVE-2025-50952

Avoid potential undefined behaviour in opj_dwt_decode_tile()

ELA-1497-1 distro-info-data database update (by )

Sat, 09 Aug 2025 19:30:26 +0200

Package : distro-info-data

Version : 0.41+deb10u2~bpo9+8 (stretch), 0.41+deb10u12 (buster)

This is a routine update of the distro-info-data database for Debian ELTS users.

It adds the release and estimated EoL dates for Debian 13 “Trixie”. Also included is a new “eol-legacy” column for Ubuntu Legacy Support.

ELA-1496-1 gnutls28 security update (by )

Sat, 09 Aug 2025 18:30:42 +0300

Package : gnutls28

Version : 3.5.8-5+deb9u9 (stretch)

Related CVEs : CVE-2025-32988 CVE-2025-32990

Multiple vulnerabilities have been fixed in GnuTLS, a library implementing the SSL, TLS and DTLS protocols.

CVE-2025-32988

Double-free upon error when exporting otherName in SAN

CVE-2025-32990

1-byte write buffer overrun in certtool

ELA-1495-1 gnutls28 security update (by )

Sat, 09 Aug 2025 18:30:29 +0300

Package : gnutls28

Version : 3.6.7-4+deb10u14 (buster)

Multiple vulnerabilities have been fixed in GnuTLS, a library implementing the SSL, TLS and DTLS protocols.

CVE-2025-6395

NULL dereference when 2nd Client Hello omits PSK

CVE-2025-32988

Double-free upon error when exporting otherName in SAN

CVE-2025-32990

1-byte write buffer overrun in certtool

ELA-1494-1 unrar-nonfree security update (by )

Sat, 09 Aug 2025 17:59:23 +0300

Package : unrar-nonfree

Version : 1:5.6.6-1+deb10u5~deb9u1 (stretch), 1:5.6.6-1+deb10u5 (buster)

Related CVEs : CVE-2024-33899

ANSI escape injection has been fixed in UnRAR, an unarchiver for .rar archives.

ELA-1493-1 libphp-adodb security update (by )

Tue, 05 Aug 2025 23:52:12 +0300

Package : libphp-adodb

Version : 5.20.9-1+deb9u2 (stretch)

Related CVEs : CVE-2025-46337

SQL injection in the PostgreSQL driver has been fixed in the ADOdb database access library for PHP.

ELA-1492-1 python-setuptools security update (by )

Tue, 05 Aug 2025 12:27:10 +0200

Package : python-setuptools

Version : 33.1.1-1+deb9u1 (stretch), 40.8.0-1+deb10u1 (buster)

Multiple vulnerabilities have been fixed in the Python setuptools package. setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages.

CVE-2022-40897: Regular Expression Denial of Service (ReDoS) in package_index.py.
CVE-2024-6345: A vulnerability in the package_index module allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system.
CVE-2025-47273: A path traversal vulnerability in PackageIndex. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context.

Secure boot signing with Debusine (by Colin Watson)

Colin Watson — Mon, 04 Aug 2025 00:00:00 +0000

Debusine aims to be an integrated solution to build, distribute and maintain a Debian-based distribution. At Debconf 25, we talked about using it to pre-test uploads to Debian unstable, and also touched on how Freexian is using it to help maintain the Debian LTS and ELTS projects.

When Debian 10 (buster) moved to ELTS status in 2024, this came with a new difficulty that hadn’t existed for earlier releases. Debian 10 added UEFI Secure Boot support, meaning that there are now signed variants of the boot loader and Linux kernel packages. Debian has a system where certain packages are configured as needing to be signed, and those packages include a template for a source package along with the unsigned objects themselves. The signing service generates detached signatures for all those objects, and then uses the template to build a source package that it uploads back to the archive for building in the usual way.

Once buster moved to ELTS, it could no longer rely on Debian’s signing service for all this. Freexian operates parallel infrastructure for the archive, and now needed to operate a parallel signing service as well. By early 2024 we were already planning to move ELTS infrastructure towards Debusine, and so it made sense to build a signing service there as well.

Separately, we were able to obtain a Microsoft signature for Freexian’s shim build, allowing us to chain this into the trust path for most deployed x86 machines.

Freexian can help other organizations running Debian derivatives through the same process, and can provide secure signing infrastructure to the standards required for UEFI Secure Boot.

Prior art

We considered both code-signing (Debian’s current implementation) and lp-signing (Ubuntu’s current implementation) as prior art. Neither was quite suitable for various reasons.

code-signing relies on polling a configured URL for each archive to fetch a GPG-signed list of signing requests, which would have been awkward for us to set up, and it assumes that unsigned packages are sufficiently trusted for it to be able to run dpkg -x and dpkg-source -b on them outside any containment. dpkg -x has had the occasional security vulnerability, so this seemed unwise for a service that might need to deal with signing packages for multiple customers.
lp-signing is a microservice accepting authenticated requests, and is careful to avoid needing to manipulate packages itself. However, this relies on a different and incompatible mechanism for indicating that packages should be signed, which wasn’t something we wanted to introduce in ELTS.

Workers

Debusine already had an established system of external workers that run tasks under various kinds of containment. This seems like a good fit: after all, what’s a request to sign a package but a particular kind of task? But there are some problems here: workers can run essentially arbitrary code (such as build scripts in source packages), and even though that’s under containment, we don’t want to give such machines access to highly-sensitive data such as private keys.

Fortunately, we’d already introduced the idea of different kinds of workers a few months beforehand, in order to be able to run privileged “server tasks” that have direct access to the Debusine database. We built on that and added “signing workers”, which are much like external workers except that they only run signing tasks, no other types of tasks run on them, and they have access to a private database with information about the keys managed by their Debusine instance. (Django’s support for multiple databases made this quite easy to arrange: we were able to keep everything in the same codebase.)

Key management

It’s obviously bad practice to store private key material in the clear, but at the same time the signing workers are essentially oracles that will return signatures on request while ensuring that the rest of Debusine has no access to private key material, so they need to be able to get hold of it themselves. Hardware security modules (HSMs) are designed for this kind of thing, but they can be inconvenient to manage when large numbers of keys are involved.

Some keys are more valuable than others. If the signing key used for an experimental archive leaks, the harm is unlikely to be particularly serious; but if the ELTS signing key leaks, many customers will be affected. To match this, we implemented two key protection arrangements for the time being: one suitable for low-value keys encrypts the key in software with a configured key and stores the public key and ciphertext in the database, while one suitable for high-value keys stores keys as PKCS #11 URIs that can be set up manually by an instance administrator. We packaged some YubiHSM tools to make this easier for our sysadmins.

The signing worker calls back to the Debusine server to check whether a given work request is authorized to use a given signing key. All operations related to private keys also produce an audit log entry in the private signing database, so we can track down any misuse.

Tasks

Getting Debusine to do anything new usually requires figuring out how to model the operation as a task. In this case, that was complicated by wanting to run as little code as possible on the signing workers: in particular, we didn’t want to do all the complicated package manipulations there.

The approach we landed on was a chain of three tasks:

ExtractForSigning runs on a normal external worker. It takes the result of a package build and picks out the individual files from it that need to be signed, storing them as separate artifacts.
Sign runs on a signing worker, and (of course) makes the actual signatures, storing them as artifacts.
AssembleSignedSource runs on a normal external worker. It takes the signed artifacts and produces a source package containing them, based on the template found in the unsigned binary package.

Workflows

Of course, we don’t want people to have to create all those tasks directly and figure out how to connect everything together for themselves, and that’s what workflows are good at. The make_signed_source workflow does all the heavy lifting of creating the right tasks with the right input data and making them depend on each other in the right ways, including fanning out multiple copies of all this if there are multiple architectures or multiple template packages involved. Since you probably don’t want to stop at just having the signed source packages, it also kicks off builds to produce signed binary packages.

Even this is too low-level for most people to use directly, so we wrapped it all up in our debian_pipeline workflow, which just needs to be given a few options to enable signing support (and those options can be locked down by workspace owners).

What’s next?

In most cases this work has been enough to allow ELTS to carry on issuing kernel security updates without too much disruption, which was the main goal; but there are other uses for a signing system. We included OpenPGP support from early on, which allows Debusine to sign its own builds, and we’ll soon be extending that to sign APT repositories hosted by Debusine.

The current key protection arrangements could use some work. Supporting automatically-generated software-encrypted keys and manually-generated keys in an HSM is fine as far as it goes, but it would be good to be able to have the best of both worlds by being able to automatically generate keys protected by an HSM. This needs some care, as HSMs often have quite small limits on the number of objects they can store at any one time, and the usual workaround is to export keys from the HSM “under wrap” (encrypted by a key known only to the HSM) so that they can be imported only when needed. We have a general idea of how to do this, but doing it efficiently will need care.

We’d be very interested in hearing from organizations that need this sort of thing, especially for Debian derivatives. Debusine provides lots of other features that can help you. Please get in touch with us at sales@freexian.com if any of this sounds useful to you.

ELA-1491-1 openjdk-8 security update (by )

Fri, 01 Aug 2025 08:52:23 +0200

Package : openjdk-8

Version : 8u462-ga-1~deb9u1 (stretch)

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, information disclosure or bypass of sandbox restrictions.

ELA-1490-1 linux-6.1 security update (by )

Thu, 31 Jul 2025 12:54:54 +0200

Package : linux-6.1

Version : 6.1.140-1~deb9u1 (stretch), 6.1.140-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

For CPUs affected to ITS (Indirect Target Selection), to fully mitigate the vulnerability it is also necessary to update the intel-microcode packages released in ELA-1425-1.

For details on the Indirect Target Selection (ITS) vulnerability please refer to the VUSec article and the Intel one.

ELA-1489-1 php7.0 security update (by )

Mon, 28 Jul 2025 16:34:06 +0200

Package : php7.0

Version : 7.0.33-0+deb9u22 (stretch)

Related CVEs : CVE-2025-1220 CVE-2025-1735 CVE-2025-6491

CVE-2025-1220

Jihwan Kim discovered that fsockopen() lack validation that the hostname supplied does not contain null characters, which may lead to other functions like parse_url() to treat the hostname in an incorrect way, thereby potentially causing Server Side Request Forgery.

CVE-2025-1735

It was discovered that pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors, which may lead to crashes due to null pointer dereferences.

This issue is related to CVE-2025-1094 which was reported to PostgreSQL.

CVE-2025-6491

Ahmed Lekssays discovered that SoapVar instances created with a fully qualified name larger than 2G could lead to denial of service due to null pointer dereference.

ELA-1488-1 php7.3 security update (by )

Mon, 28 Jul 2025 16:34:05 +0200

Package : php7.3

Version : 7.3.31-1~deb10u11 (buster)

Related CVEs : CVE-2025-1220 CVE-2025-1735 CVE-2025-6491

CVE-2025-1220

CVE-2025-1735

It was discovered that pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors, which may lead to crashes due to null pointer dereferences.

This issue is related to CVE-2025-1094 which was reported to PostgreSQL.

CVE-2025-6491

Ahmed Lekssays discovered that SoapVar instances created with a fully qualified name larger than 2G could lead to denial of service due to null pointer dereference.

ELA-1487-1 libxml2 security update (by )

Mon, 28 Jul 2025 11:40:54 +0200

Package : libxml2

Version : 2.9.4+dfsg1-2.2+deb9u14 (stretch), 2.9.4+dfsg1-7+deb10u12 (buster)

CVE-2024-34459: Zhineng Zhong discovered that formatting error messages with xmllint --htmlout could result in a buffer over-read.
CVE-2025-6021: Ahmed Lekssays discovered an integer overflow issue in xmlBuildQName() which could result in memory corruption or a denial of service when processing crafted input.
CVE-2025-6170: Ahmed Lekssays discovered a stack-based buffer overflow issue in the command-parsing logic of the interactive shell in xmllint.
CVE-2025-49794: Nikita Sveshnikov discovered a heap use-after-free issue in the schematron. When processing XPath expressions in Schematron schema elements <sch:name path="…"/>, a pointer to freed memory is returned and then accessed, leading to undefined behavior or potential crashes.
CVE-2025-49796: Nikita Sveshnikov discovered a type confusion issue in the schematron. Processing sch:name elements and accessing namespace information may lead to leading to memory corruption or undefined behavior.

ELA-1486-1 openjdk-11 security update (by )

Wed, 23 Jul 2025 12:34:55 +0200

Package : openjdk-11

Version : 11.0.28+6-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, information disclosure or bypass of sandbox restrictions.

ELA-1485-1 djvulibre security update (by )

Mon, 21 Jul 2025 16:53:58 +0300

Package : djvulibre

Version : 3.5.27.1-7+deb9u3 (stretch), 3.5.27.1-10+deb10u2 (buster)

Related CVEs : CVE-2021-46312 CVE-2025-53367

Multiple vulnerabilities have been fixed in DjVuLibre, a library and tools to handle documents in the DjVu format.

CVE-2021-46312

Divide by zero in IWBitmap::Encode::init()

CVE-2025-53367

Buffer overflow in MMRDecoder

ELA-1484-1 dcmtk security update (by )

Mon, 21 Jul 2025 15:11:43 +0300

Package : dcmtk

Version : 3.6.1~20160216-4.1+deb9u2 (stretch), 3.6.4-2.1+deb10u3 (buster)

Multiple vulnerabilities have been fixed in DCMTK, a collection of libraries and applications implementing large parts the DICOM standard for medical images.

CVE-2022-2119

Path traversal vulnerability

CVE-2022-2120

Path traversal vulnerability

CVE-2025-2357

Segfault in JPEG-LS decoder

CVE-2025-25472

DoS with invalid mono images

CVE-2025-25474

Buffer overflow with invalid images

CVE-2025-25475

NULL pointer dereference

ELA-1483-1 freerdp2 security update (by )

Fri, 18 Jul 2025 23:25:36 +0300

Package : freerdp2

Version : 2.3.0+dfsg1-2+deb11u3~deb10u1 (buster)

Multiple vulnerabilities have been fixed in freerdp2, an implementation of the Remote Desktop Protocol.

CVE-2022-24882

Server side NTLM does not properly check parameters

CVE-2022-39320

Heap buffer overflow in urbdrc channel

CVE-2024-22211

Integer overflow in freerdp_bitmap_planar_context_reset

CVE-2024-32039

Integer overflow and Out of bounds write in clear_decompress_residual_data

CVE-2024-32040

Integer underflow in nsc_rle_decode

CVE-2024-32041

Out of bounds read in zgfx_decompress_segment

CVE-2024-32458

Out of bounds read in planar_skip_plane_rle

CVE-2024-32459

Out of bounds read in ncrush_decompress

CVE-2024-32460

Out of bounds read in interleaved_decompress

CVE-2024-32658

Out of bounds read in ExtractRunLengthRegular*

CVE-2024-32659

Out of bounds read in freerdp_image_copy

CVE-2024-32660

Out of memory in zgfx_decompress

CVE-2024-32661

NULL dereference in rdp_write_logon_info_v1

ELA-1482-1 commons-beanutils security update (by )

Thu, 17 Jul 2025 23:54:04 +0300

Package : commons-beanutils

Version : 1.9.3-1+deb10u2 (buster)

Related CVEs : CVE-2025-48734

Improper access control has been fixed in Apache Commons BeanUtils, Java classes for working with JavaBeans classes.

ELA-1481-1 redis security update (by )

Mon, 14 Jul 2025 15:28:14 -0700

Package : redis

Version : 3:3.2.6-3+deb9u16 (stretch), 5:5.0.14-1+deb10u9 (buster)

Related CVEs : CVE-2025-32023 CVE-2025-48367

Two issues were discovered in Redis, the key-value database:

CVE-2025-32023: An authenticated user may have used a specially-crafted string to trigger a stack/heap out-of-bounds write during hyperloglog operations, potentially leading to a remote code execution vulnerability. Installations that used Redis’ ACL system to restrict hyperloglog HLL commands are unaffected by this issue.
CVE-2025-48367: An unauthenticated connection could have caused repeated IP protocol errors, leading to client starvation and ultimately become a Denial of Service (DoS) attack.

Debian Contributions: unschroot, DebConf 25 preparations and more! (by Anupa Ann Joseph)

Anupa Ann Joseph — Sat, 12 Jul 2025 00:00:00 +0000

Debian Contributions: 2025-06

unschroot, by Helmut Grohne

Quite a while back, the sbuild maintainers added the unshare backend to enable better isolation of builds, but in doing so sbuild now effectively bundles a container runtime. unschroot is an attempt to separate containment from sbuild by implementing the same features and more in a schroot-compatible way. Last year, vague feature parity was achieved, but going beyond required changing the model from keeping state in the filesystem to keeping Linux namespaces as session state. A proof of concept is now available. While it still has sharp corners, it enables building packages on a squashfs with an overlayfs or id-mapped bind mounting of your ccache neither of which is possible with sbuild’s unshare backend. There shall be a DebConf25 presentation about this work.

DebConf 25, by Stefano Rivera, Santiago Ruano Rincón and Lucas Kanashiro

DebConf 25 is now under way in Brest, France. Santiago is part of the “local” team running the event, and Stefano Rivera is part of the DebConf committee, supporting the event, as well as the video team. Both have spent considerable time in the last month, getting things ready for DebConf. Lucas Kanashiro built the schedule for DebConf 25. Also followed-up on multiple requests from speakers and stakeholders.

Miscellaneous contributions

Carles did general maintenance on simplemonitor, qnetload and qdacco packages; provided simplemonitor upstream feedback on new feature.
Carles’s updates about po-debconf-manager: prepared for DebCamp/DebConf, used it for reviewing and merging different packages. Also fixed multispeech po-debconf templates.
Colin Watson found a crash in pterm (PuTTY’s terminal emulator) when running in a Wayland session, and backported the resulting upstream fix to trixie.
Colin responded to an upstream groff bug report about URLs being dropped from PDF output in some cases on Debian, and backported the fix to trixie.
Helmut dealt with issues related to /usr-move. Most prominently Christian Hofstaedler reported an upgrade failure. /usr-move is a contributing factor here as that’s what caused systemd to upgrade a number of Breaks and Replaces to Conflicts. dumat needed some help with dropping mips64el from testing and Theodore Ts’o forwarded a fuse2fs upgrade failure.
Helmut sent patches for 25 cross build failures.
Helmut debugged rebootstrap failures and worked around build failures related to gcc-15 when they had patches and sent ones otherwise.
Thorsten Alteholz uploaded cups to fix a FTBFS-bug. This bug was introduced by a change in systemd, which bumped the maximum number of open files. This resulted in a longer test duration that triggered a timeout so that the build failed. Thorsten also uploaded mtink and lprng, which got new translation files.
Lucas Kanashiro followed-up on multiple unblock requests for ruby packages due to reproducible builds fixes. All of them were accepted into trixie.
Lucas Kanashiro discussed license issues with upstream involving Redis 8 new license and the possibility of backporting patches to old versions with a different license. Outcome is that upstream is adding a new paragraph to their license to allow the backport for security fixes.
Lucas Kanashiro fixed multiple CVEs reported against valkey in unstable and trixie.
Lucas Kanashiro gave a Debian packaging course of 8 hours for students at a free software development course at the University of Sao Paulo.
Lucas Kanashiro fixed a couple of cross building issues in the ruby ecosystem with Helmut’s help.
Lucas Kanashiro is working on a debci fix for #1107645 (ongoing).
Stefano Rivera updated python-mitogen to the latest beta releases with upstream support for Ansible 12.
Stefano Rivera spent some time winding up DebConf 24 books.
Stefano Rivera fixed packages that were blocking cPython 3.13.5 from migrating to trixie, and filed an unblock request.
Stefano Rivera investigated a regression in cPython 3.13 that was breaking OpenStack Nova. There is a patch in progress for cPython, but it is not ready for use, yet.
Santiago reviewed different MRs in Salsa CI. For example, the MR !605 proposed by Aquila that aims to introduce a new debdiff job, as well as the autopkgtest MR !33 to extend the support to architectures other than amd64. Also reviewed MR !611 by Aayush Raj that fixes the autopkgtest images cleanup. And the MR !614, prepared by Charles, to change the suffix name used to bump the version used in the pipeline.
Anupa procured supplies needed for the DebConf ID tag for the DebConf registration team and co-ordinated its transport to the venue.
Anupa joined Nattie to complete the registration team tasks.

Monthly report about Debian Long Term Support, June 2025 (by Roberto C. Sánchez)

Roberto C. Sánchez — Sat, 12 Jul 2025 00:00:00 +0000

Like each month, have a look at the work funded by Freexian’s Debian LTS offering.

Debian LTS contributors

In June, 20 contributors have been paid to work on Debian LTS, their reports are available:

Abhijith PA did 14.0h (out of 14.0h assigned).
Adrian Bunk did 23.5h (out of 23.5h assigned).
Andreas Henriksson did 3.0h (out of 3.0h assigned and 17.0h from previous period), thus carrying over 17.0h to the next month.
Andrej Shadura did 2.0h (out of 3.0h assigned and 7.0h from previous period), thus carrying over 8.0h to the next month.
Bastien Roucariès did 20.0h (out of 20.0h assigned).
Ben Hutchings did 8.0h (out of 7.5h assigned and 16.0h from previous period), thus carrying over 15.5h to the next month.
Carlos Henrique Lima Melara did 12.0h (out of 12.0h assigned).
Chris Lamb did 18.0h (out of 18.0h assigned).
Daniel Leidert did 22.0h (out of 22.5h assigned and 1.0h from previous period), thus carrying over 1.5h to the next month.
Emilio Pozuelo Monfort did 23.5h (out of 16.75h assigned and 6.75h from previous period).
Guilhem Moulin did 14.0h (out of 11.5h assigned and 3.5h from previous period), thus carrying over 1.0h to the next month.
Jochen Sprickerhof did 21.0h (out of 0.5h assigned and 22.75h from previous period), thus carrying over 2.25h to the next month.
Lucas Kanashiro did 20.0h (out of 20.0h assigned).
Markus Koschany did 23.25h (out of 17.0h assigned and 6.25h from previous period).
Roberto C. Sánchez did 21.25h (out of 20.75h assigned and 3.25h from previous period), thus carrying over 2.75h to the next month.
Santiago Ruano Rincón did 12.75h (out of 15.0h assigned), thus carrying over 2.25h to the next month.
Sean Whitton did 1.0h (out of 4.25h assigned and 1.75h from previous period), thus carrying over 5.0h to the next month.
Sylvain Beucler did 23.5h (out of 23.5h assigned).
Thorsten Alteholz did 15.0h (out of 15.0h assigned).
Tobias Frost did 2.5h (out of 12.0h assigned), thus carrying over 9.5h to the next month.

Evolution of the situation

In June, we released 35 DLAs.

Notable security updates:
- mariadb-10.5, prepared by Otto Kekäläinen, fixes vulnerabilities which could result in denial of service, information disclosure, or unauthorized data modification
- python-django, prepared by Chris Lamb, fixes vulnerabilities which would result in log injection or denial of service
- webkit2gtk, prepared by Emilio Pozuelo Monfort, fixes many vulnerabilities which could results in a wide range of issues
- xorg-server, prepared by Emilio Pozuelo Monfort, fixes multiple vulnerabilities which may result in privilege escalation
- sudo, prepared by Thorsten Alteholz, fixes a vulnerability which could result in privilege escalation
Notable non-security updates:
- debian-security-support, prepared by Santiago Ruano Rincón, updates status of packages which receive limited security support or which have reached the end of security support
- dns-root-data, prepared by Sylvain Beucler, updates the DNSSEC trust anchors

This month’s contributions from outside the regular team include the mariadb-10.5 update mentioned above, prepared by Otto Kekäläinen (the package maintainer); an update to libfile-find-rule-perl, prepared by Salvatore Bonaccorso (a member of the Debian Security Team); an update to activemq, prepared by Emmanuel Arias (a maintainer of the package).

Additionally, LTS Team members contributed stable updates of the following packages:

curl, prepared by Carlos Henrique Lima Melara
python-tornado, prepared by Daniel Leidert
python-flask-cors, prepared by Daniel Leidert
common-vfs, prepared by Daniel Leidert
cjson, prepared by Adrian Bunk
icu, prepared by Adrian Bunk
node-tar-fs, prepared by Adrian Bunk
rar, prepared by Adrian Bunk

Something of particular noteworthiness is that LTS contributor Carlos Henrique Lima Melara discovered a regression in the upstream fix for CVE-2023-2753 in curl. The corrective action which he took included providing a patch to upstream, uploading a stable update of curl, and further updating the version of curl in LTS.

DebConf, the annual Debian Conference, is coming up in July and, as is customary each year, the week preceding the conference will feature an event called DebCamp. The DebCamp week provides an opportunity for teams and other interested groups/individuals to meet together in person in the same venue as the conference itself, with the purpose of doing focused work, often called “sprints”. LTS coordinator Roberto C. Sánchez has announced that the LTS Team is planning to hold a sprint primarily focused on the Debian security tracker and the associated tooling used by the LTS Team and the Debian Security Team.

Thanks to our sponsors

Sponsors that joined recently are in bold.

Platinum sponsors:
- Toshiba Corporation (for 117 months)
- Civil Infrastructure Platform (CIP) (for 85 months)
- VyOS Inc (for 49 months)
Gold sponsors:
- Roche Diagnostics International AG (for 127 months)
- Akamai - Linode (for 121 months)
- Babiel GmbH (for 111 months)
- Plat’Home (for 110 months)
- University of Oxford (for 67 months)
- Deveryware (for 54 months)
- EDF SA (for 39 months)
- Dataport AöR (for 14 months)
- CERN (for 12 months)
Silver sponsors:
- Domeneshop AS (for 132 months)
- Nantes Métropole (for 126 months)
- Univention GmbH (for 118 months)
- Université Jean Monnet de St Etienne (for 118 months)
- Ribbon Communications, Inc. (for 112 months)
- Exonet B.V. (for 102 months)
- Leibniz Rechenzentrum (for 96 months)
- Ministère de l’Europe et des Affaires Étrangères (for 80 months)
- Cloudways by DigitalOcean (for 69 months)
- Dinahosting SL (for 67 months)
- Platform.sh SAS (for 61 months)
- Moxa Inc. (for 55 months)
- sipgate GmbH (for 53 months)
- OVH US LLC (for 51 months)
- Tilburg University (for 51 months)
- GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 42 months)
- THINline s.r.o. (for 15 months)
- Copenhagen Airports A/S (for 9 months)
Bronze sponsors:
- Evolix (for 132 months)
- Seznam.cz, a.s. (for 132 months)
- Intevation GmbH (for 129 months)
- Linuxhotel GmbH (for 129 months)
- Daevel SARL (for 128 months)
- Megaspace Internet Services GmbH (for 127 months)
- Greenbone AG (for 126 months)
- NUMLOG (for 126 months)
- WinGo AG (for 125 months)
- Entr’ouvert (for 116 months)
- Adfinis AG (for 114 months)
- Tesorion (for 109 months)
- Laboratoire LEGI - UMR 5519 / CNRS (for 108 months)
- Bearstech (for 100 months)
- LiHAS (for 100 months)
- Catalyst IT Ltd (for 95 months)
- Demarcq SAS (for 89 months)
- Université Grenoble Alpes (for 75 months)
- TouchWeb SAS (for 67 months)
- SPiN AG (for 64 months)
- CoreFiling (for 60 months)
- Institut des sciences cognitives Marc Jeannerod (for 55 months)
- Observatoire des Sciences de l’Univers de Grenoble (for 51 months)
- Tem Innovations GmbH (for 46 months)
- WordFinder.pro (for 45 months)
- CNRS DT INSU Résif (for 44 months)
- Soliton Systems K.K. (for 39 months)
- Alter Way (for 37 months)
- Institut Camille Jordan (for 27 months)
- SOBIS Software GmbH (for 12 months)
- Tuxera Inc. (for 3 months)

ELA-1480-1 varnish security update (by )

Thu, 10 Jul 2025 07:37:20 +0200

Package : varnish

Version : 5.0.0-7+deb9u4 (stretch)

Related CVEs : CVE-2025-47905

A client-side desync vulnerability can be triggered in Varnish Cache, a state of the art, high-performance web accelerator. An attacker can abuse a flaw in Varnish’s handling of chunked transfer encoding which allows certain malformed HTTP/1 requests to exploit improper framing of the message body to smuggle additional requests. Specifically, Varnish incorrectly permits CRLF to be skipped to delimit chunk boundaries.

ELA-1479-1 commons-vfs security update (by )

Tue, 01 Jul 2025 00:38:30 +0200

Package : commons-vfs

Version : 2.1-2+deb10u1 (buster)

Related CVEs : CVE-2025-27553

A vulnerability was discovered in Apache Commons VFS, a Java API for accessing various filesystems.

CVE-2025-27553

A relative path traversal vulnerability was discovered in Apache Commons
VFS. The FileObject API in Commons VFS has a 'resolveFile' method that
takes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that
"an exception is thrown if the resolved file is not a descendent of the
base file". But when a path contains encoded ".." characters (for example,
"%2E%2E/bar.txt"), it might return file objects that are not a descendent
of the base file, without throwing an exception.

ELA-1478-1 rar security update (by )

Mon, 30 Jun 2025 22:28:34 +0300

Package : rar

Version : 2:7.01-1~deb9u1 (stretch)

Related CVEs : CVE-2024-33899

ANSI escape injection has been fixed in the RAR archiver.

ELA-1477-1 jessie-elts end of life (by )

Mon, 30 Jun 2025 15:31:34 -0300

Package : jessie-elts

The Extended Long Term Support (ELTS) Team hereby announces that Debian 8 “Jessie” support has reached its end-of-life today, June 30, 2025, ten years after its initial release on April 26th, 2015.

We strongly encourage any remaining Jessie users to upgrade to a supported Debian version. The ELTS Team will continue to provide security support for Debian 9 “Stretch” and Debian 10 “Buster”, while Debian 11 “Bullseye” and Debian 12 “Bookworm” are still supported by Debian.

Freexian and the ELTS Team would like to thank all the users that made Debian 8 ELTS possible, and we invite any interested parties to contribute to the extended support of the still supported Debian releases.

ELA-1476-1 sudo security update (by )

Mon, 30 Jun 2025 16:30:54 +0200

Package : sudo

Version : 1.8.10p3-1+deb8u10 (jessie), 1.8.19p1-2.1+deb9u7 (stretch), 1.8.27-1+deb10u7 (buster)

Related CVEs : CVE-2025-32462

Rich Mirch discovered that sudo, a program designed to provide limited super user privileges to specific users, does not correctly handle the host (-h or –host) option. Due to a bug the host option was not restricted to listing privileges only and could be used when running a command via sudo or editing a file with sudoedit. Depending on the rules present in the sudoers file the flaw might allow a local privilege escalation attack.

ELA-1475-1 gst-plugins-good1.0 security update (by )

Mon, 30 Jun 2025 15:23:12 +0200

Package : gst-plugins-good1.0

Version : 1.10.4-1+deb9u4 (stretch)

Multiple vulnerabilities were discovered in plugins for the GStreamer media framework and its codecs and demuxers, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened.

ELA-1474-1 catdoc security update (by )

Mon, 30 Jun 2025 13:56:12 +0300

Package : catdoc

Version : 1:0.94.3~git20160113.dbc9ec6+dfsg-1+deb9u2 (stretch), 1:0.95-4.1+deb11u1~deb10u1 (buster)

Multiple vulnerabilities have been fixed in catdoc, a text extractor for MS-Office files.

CVE-2024-48877

memory corruption

CVE-2024-52035

integer overflow

CVE-2024-54028

integer underflow

ELA-1473-1 python-tornado security update (by )

Mon, 30 Jun 2025 02:42:50 +0200

Package : python-tornado

Version : 5.1.1-4+deb10u2 (buster)

Related CVEs : CVE-2025-47287

A vulnerability was discovered in python-tornado, a scalable, non-blocking Python web framework and asynchronous networking library.

CVE-2025-47287

When Tornado's 'multipart/form-data' parser encounters certain errors,
it logs a warning but continues trying to parse the remainder of the
data. This allows remote attackers to generate an extremely high volume
of logs, constituting a DoS attack. This DoS is compounded by the fact
that the logging subsystem is synchronous.

ELA-1472-1 xorg-server security update (by )

Thu, 26 Jun 2025 10:02:18 +0200

Package : xorg-server

Version : 2:1.16.4-1+deb8u19 (jessie), 2:1.19.2-1+deb9u22 (stretch), 2:1.20.4-1+deb10u17 (buster)

Nils Emmerich discovered several vulnerabilities in the Xorg X server, which may result in privilege escalation if the X server is running privileged.

Compliance Consulting (by )

Thu, 26 Jun 2025 09:37:00 +0200

Improve your open source security and compliance posture with support from our Debian experts. We provide comprehensive assistance with vulnerability assessment tailored to your specific Debian usage.

We can help to extend the lifecycle of your Debian-based product to meet the requirements of different regulations. Our Long Term Support Services, including Debian LTS, Debian ELTS and PHP LTS, can help you comply with regulations like Cyber Resilience Act (CRA) by ensuring that Debian packages used in your products receive security updates for up to 10 years.

We also support your due diligence requirements for the different components that you are integrating into your product from Debian. Our services can reduce costs by enabling planned migration on your timeline while helping you avoid security incidents caused by unaddressed vulnerabilities.

In addition, we provide security advisories and vulnerability data for all of our supported Debian releases in a standard machine-readable format, as required by upcoming regulations.

Eliminate the complexity and risk of non-compliance, meet industry standards, and protect your business with greater confidence and a stronger security posture.

Pricing

ELA-1471-1 symfony security update (by )

Tue, 24 Jun 2025 20:42:34 +0200

Package : symfony

Version : 3.4.22+dfsg-2+deb10u4 (buster)

Related CVEs : CVE-2024-50343 CVE-2024-50345

CVE-2024-50343: It was discovered input ending with \n could bypass Validators.
CVE-2024-50345: Sam Mush discovered that due to URI parsing mismatch between common browsers and the Request class, an attacker could supply a specially crafted URI to bypass validation and redirect users to another domain.

ELA-1470-1 python-django security update (by )

Mon, 23 Jun 2025 17:14:46 -0700

Package : python-django

Version : 1.7.11-1+deb8u21 (jessie)

Related CVEs : CVE-2023-43665

A potential denial-of-service vulnerability was uncovered in Django, a popular Python-based web-development framework.

Following the fix for CVE-2019-14232, the regular expressions used in the implementation of django.utils.text.Truncator’s chars() and words() methods (with html=True) were revised and improved. However, these regular expressions still exhibited linear backtracking complexity, so when given a very long, potentially malformed HTML input, the evaluation would still be slow, leading to a potential denial of service vulnerability.

The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus also vulnerable.

The input processed by Truncator, when operating in HTML mode, has been limited to the first five million characters in order to avoid potential performance and memory issues.

ELA-1469-1 auto-apt-proxy bugfix update (by )

Mon, 23 Jun 2025 09:21:44 +0200

Package : auto-apt-proxy

Version : 11+deb10u1 (buster)

auto-apt-proxy no longer attempts to look up a network interface name as a hostname and thereby avoids running into a timeout that caused autopkgtests of other packages to fail.

ELA-1468-1 poppler security update (by )

Sat, 21 Jun 2025 07:47:39 +0200

Package : poppler

Version : 0.48.0-2+deb9u7 (stretch)

Multiple vulnerabilities were discovered in poppler, a PDF rendering library, which could result in denial of service. An attacker could make poppler-based applications crash through various means.

Additionally, boomaga (BOOklet MAnager), a virtual preview printer, was rebuilt to handle ABI-breaking changes in the poppler private API.

CVE-2017-7515

An uncontrolled recursion in pdfunite resulting into potential denial-of-service. Note: the fix is a pre-requisite for CVE-2019-9903’s.
CVE-2017-14617

Complete fix, initially fix was in 0.48.0-2+deb9u1. For reference:

A floating point exception occurs in the ImageStream class in Stream.cc, which may lead to a potential attack when handling malicious PDF files.
CVE-2018-20551

A reachable Object::getString assertion allows attackers to cause a denial of service due to construction of invalid rich media annotation assets in the AnnotRichMedia class in Annot.c.
CVE-2019-9903

PDFDoc::markObject in PDFDoc.cc mishandles dict marking, leading to stack consumption in the function Dict::find() located at Dict.cc, which can (for example) be triggered by passing a crafted pdf file to the pdfunite binary.
CVE-2020-23804

Uncontrolled Recursion in pdfinfo, and pdftops allows remote attackers to cause a denial of service via crafted input.
CVE-2022-37050

PDFDoc::savePageAs in PDFDoc.c callows attackers to cause a denial-of-service (application crashes with SIGABRT) by crafting a PDF file in which the xref data structure is mishandled in getCatalog processing. Note that this vulnerability is caused by the incomplete patch of CVE-2018-20662.
CVE-2022-37051

A reachable abort which leads to denial of service because the main function in pdfunite.cc lacks a stream check before saving an embedded file.
CVE-2022-37052

A reachable Object::getString assertion allows attackers to cause a denial of service due to a failure in markObject.
CVE-2022-38349

There is a reachable assertion in Object.h, will lead to denial of service because PDFDoc::replacePageDict in PDFDoc.cc lacks a stream check before saving an embedded file.
CVE-2024-56378

Out-of-bounds read vulnerability within the JBIG2Bitmap::combine function in JBIG2Stream.cc.
CVE-2025-32364

A floating-point exception in the PSStack::roll function can cause an application to crash when handling malformed inputs associated with INT_MIN.
CVE-2025-32365

Poppler allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced isOk check.

ELA-1467-1 poppler security update (by )

Sat, 21 Jun 2025 07:47:20 +0200

Package : poppler

Version : 0.71.0-5+deb10u4 (buster)

Multiple vulnerabilities were discovered in poppler, a PDF rendering library, which could result in denial of service. An attacker could make poppler-based applications crash through various means.

CVE-2022-37052

A reachable Object::getString assertion allows attackers to cause a denial of service due to a failure in markObject.
CVE-2022-38349

There is a reachable assertion in Object.h, will lead to denial of service because PDFDoc::replacePageDict in PDFDoc.cc lacks a stream check before saving an embedded file.
CVE-2024-56378

Out-of-bounds read vulnerability within the JBIG2Bitmap::combine function in JBIG2Stream.cc.
CVE-2025-32364

A floating-point exception in the PSStack::roll function can cause an application to crash when handling malformed inputs associated with INT_MIN.
CVE-2025-32365

Poppler allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced isOk check.

ELA-1466-1 konsole security update (by )

Fri, 20 Jun 2025 11:08:27 -0700

Package : konsole

Version : 4:18.04.0-1+deb10u1 (buster)

Related CVEs : CVE-2025-49091

It was discovered that there was a potential remote code execution vulnerability in konsole, the X terminal emulator of the KDE desktop environment.

ELA-1465-1 libblockdev security update (by )

Tue, 17 Jun 2025 23:52:30 +0200

Package : libblockdev

Version : 2.20-7+deb10u2 (buster)

Related CVEs : CVE-2025-6019

The Qualys Threat Research Unit (TRU) discovered a local privilege escalation vulnerability in libblockdev, a library for manipulating block devices. An “allow_active” user can exploit this flaw via the udisks daemon to obtain the full privileges of the root user.

Details can be found in the Qualys advisory at https://www.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt

Along with the libblockdev update, updated udisks2 packages are released, to enforce that private mounts are mounted with ’nodev,nosuid'.

ELA-1464-1 gst-plugins-bad1.0 security update (by )

Tue, 17 Jun 2025 23:51:50 +0300

Package : gst-plugins-bad1.0

Version : 1.10.4-1+deb9u6 (stretch), 1.14.4-1+deb10u6 (buster)

Related CVEs : CVE-2025-3887

A stack buffer-overflow in the H.265 codec parser has been fixed in the “bad” set of codecs for the GStreamer multimedia framework.

ELA-1463-1 mercurial security update (by )

Tue, 17 Jun 2025 14:22:15 +0200

Package : mercurial

Version : 4.0-1+deb9u3 (stretch), 4.8.2-1+deb10u2 (buster)

Related CVEs : CVE-2025-2361

A cross-site scripting vulnerability was discovered in hgweb, the integrated stand-alone web interface of the Mercurial version control system.

This update also stabilizes the test suites.

ELA-1462-1 roundcube security update (by )

Tue, 17 Jun 2025 00:28:06 +0200

Package : roundcube

Version : 1.3.17+dfsg.1-1~deb10u8 (buster)

Related CVEs : CVE-2025-49113

Kirill Firsov discovered that Roundcube, a skinnable AJAX based webmail solution for IMAP servers, was performing PHP Object deserialization on unvalidated input, which could lead to remote code execution by an authenticated attacker.

ELA-1348-2 python2.7 regression update (by )

Mon, 16 Jun 2025 22:56:09 +0200

Package : python2.7

Version : 2.7.13-2+deb9u11 (stretch)

The fix for CVE-2023-27043 made the email.utils.getaddresses function return results with an additional conversion from Python string object (str) to Unicode object (unicode). This can lead to a change in corner-case situations, as spotted in the Mercurial test suite. The fix was adapted to restore the previous behavior.

ELA-1347-2 python2.7 regression update (by )

Mon, 16 Jun 2025 22:28:04 +0200

Package : python2.7

Version : 2.7.16-2+deb10u6 (buster)

ELA-1461-1 icu security update (by )

Sun, 15 Jun 2025 23:58:46 +0300

Package : icu

Version : 52.1-8+deb8u10 (jessie), 57.1-6+deb9u6 (stretch), 63.1-6+deb10u4 (buster)

Related CVEs : CVE-2025-5222

A stack-based buffer overflow has been fixed in ICU, a C++ and C library for Unicode and Globalization support.

ELA-1460-1 libreoffice security update (by )

Fri, 13 Jun 2025 23:43:07 +0200

Package : libreoffice

Version : 1:6.1.5-3+deb9u7 (stretch), 1:6.1.5-3+deb10u16 (buster)

Related CVEs : CVE-2025-1080 CVE-2025-2866

Multiple vulnerabilities were fixed in libreoffice, a popular office productivity suite.

CVE-2025-1080

LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice
with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific
to LibreOffice was added. In the affected versions of LibreOffice a link in a browser
using that scheme could be constructed with an embedded inner URL that when passed
to LibreOffice could call internal macros with arbitrary arguments.

CVE-2025-2866

Improper Verification of Cryptographic Signature vulnerability in LibreOffice allows
PDF Signature Spoofing by Improper Validation. In the affected versions of LibreOffice
a flaw in the verification code for adbe.pkcs7.sha1 signatures could cause invalid
signatures to be accepted as valid.

ELA-1459-1 u-boot security update (by )

Fri, 13 Jun 2025 16:55:47 -0300

Package : u-boot

Version : 2016.11+dfsg1-4+deb9u1 (stretch), 2019.01+dfsg-7+deb10u1 (buster)

Multiple vulnerabilities have been discovered in u-boot, a boot loader for embedded systems.

CVE-2019-13103

A crafted self-referential DOS partition table will cause all Das U-Boot
versions through 2019.07-rc4 to infinitely recurse, causing the stack to grow
infinitely and eventually either crash or overwrite other data.

CVE-2019-13104

In Das U-Boot versions 2016.11-rc1 through 2019.07-rc4, an underflow can cause
memcpy() to overwrite a very large amount of data (including the whole stack)
while reading a crafted ext4 filesystem.

CVE-2019-13106

Das U-Boot versions 2016.09 through 2019.07-rc4 can memset() too much data
while reading a crafted ext4 filesystem, which results in a stack buffer
overflow and likely code execution.

CVE-2019-14192

An issue was discovered in Das U-Boot through 2019.07. There is an unbounded
memcpy when parsing a UDP packet due to a net_process_received_packet integer
underflow during an nc_input_packet call.

CVE-2019-14193

An issue was discovered in Das U-Boot through 2019.07. There is an unbounded
memcpy with an unvalidated length at nfs_readlink_reply, in the "if" block
after calculating the new path length.

CVE-2019-14194

An issue was discovered in Das U-Boot through 2019.07. There is an unbounded
memcpy with a failed length check at nfs_read_reply when calling store_block in
the NFSv2 case.

CVE-2019-14195

An issue was discovered in Das U-Boot through 2019.07. There is an unbounded
memcpy with unvalidated length at nfs_readlink_reply in the "else" block after
calculating the new path length.

CVE-2019-14196

An issue was discovered in Das U-Boot through 2019.07. There is an unbounded
memcpy with a failed length check at nfs_lookup_reply.

CVE-2019-14197

An issue was discovered in Das U-Boot through 2019.07. There is a read of
out-of-bounds data at nfs_read_reply.

CVE-2019-14198

An issue was discovered in Das U-Boot through 2019.07. There is an unbounded
memcpy with a failed length check at nfs_read_reply when calling store_block in
the NFSv3 case.

CVE-2019-14199

An issue was discovered in Das U-Boot through 2019.07. There is an unbounded
memcpy when parsing a UDP packet due to a net_process_received_packet integer
underflow during an *udp_packet_handler call.

CVE-2019-14200

An issue was discovered in Das U-Boot through 2019.07. There is a stack-based
buffer overflow in this nfs_handler reply helper function: rpc_lookup_reply.

CVE-2019-14201

An issue was discovered in Das U-Boot through 2019.07. There is a stack-based
buffer overflow in this nfs_handler reply helper function: nfs_lookup_reply.

CVE-2019-14202

An issue was discovered in Das U-Boot through 2019.07. There is a stack-based
buffer overflow in this nfs_handler reply helper function: nfs_readlink_reply.

CVE-2019-14203

An issue was discovered in Das U-Boot through 2019.07. There is a stack-based
buffer overflow in this nfs_handler reply helper function: nfs_mount_reply.

CVE-2019-14204

An issue was discovered in Das U-Boot through 2019.07. There is a stack-based
buffer overflow in this nfs_handler reply helper function: nfs_umountall_reply.

CVE-2020-8432

In Das U-Boot through 2020.01, a double free has been found in the cmd/gpt.c
do_rename_gpt_parts() function. Double freeing may result in a write-what-where
condition, allowing an attacker to execute arbitrary code.

CVE-2020-10648

Das U-Boot through 2020.01 allows attackers to bypass verified boot
restrictions and subsequently boot arbitrary images by providing a crafted FIT
image to a system configured to boot the default configuration.

CVE-2022-2347

There exists an unchecked length field in UBoot. The U-Boot DFU implementation
does not bound the length field in USB DFU download setup packets, and it does
not verify that the transfer direction corresponds to the specified command.
Consequently, if a physical attacker crafts a USB DFU download setup packet
with a `wLength` greater than 4096 bytes, they can write beyond the
heap-allocated request buffer.

CVE-2022-30552

Das U-Boot 2022.01 has a Buffer Overflow.

CVE-2022-30790

Das U-Boot 2022.01 has a Buffer Overflow, a different issue than
CVE-2022-30552.

CVE-2022-34835

In Das U-Boot through 2022.07-rc5, an integer signedness error and resultant
stack-based buffer overflow in the "i2c md" command enables the corruption of
the return address pointer of the do_i2c_md function.

CVE-2024-57256

An integer overflow in ext4fs_read_symlink in Das U-Boot before 2025.01-rc1
occurs for zalloc (adding one to an le32 variable) via a crafted ext4
filesystem with an inode size of 0xffffffff, resulting in a malloc of zero and
resultant memory overwrite.

CVE-2024-57258

Integer overflows in memory allocation in Das U-Boot before 2025.01-rc1 occur
for a crafted squashfs filesystem via sbrk, via request2size, or because
ptrdiff_t is mishandled on x86_64.

ELA-1458-1 python-django security update (by )

Fri, 13 Jun 2025 11:45:09 -0700

Package : python-django

Version : 1:1.10.7-2+deb9u26 (stretch), 1:1.11.29-1+deb10u15 (buster)

A number of vulnerabilities were found in Django, a Python-based web-development framework:

CVE-2023-43665: Address a denial-of-service possibility in django.utils.text.Truncator.

Following the fix for CVE-2019-14232, the regular expressions used in the implementation of django.utils.text.Truncator’s chars() and words() methods (with html=True) were revised and improved. However, these regular expressions still exhibited linear backtracking complexity, so when given a very long, potentially malformed HTML input, the evaluation would still be slow, leading to a potential denial of service vulnerability. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus also vulnerable. The input processed by Truncator, when operating in HTML mode, has been limited to the first five million characters in order to avoid potential performance and memory issues.
CVE-2024-24680: Potential denial-of-service in intcomma template filter. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.
CVE-2025-32873: Denial-of-service possibility in strip_tags().

django.utils.html.strip_tags() would be slow to evaluate certain inputs containing large sequences of incomplete HTML tags. This function is used to implement the striptags template filter, which was therefore also vulnerable. strip_tags() now raises a SuspiciousOperation exception if it encounters an unusually large number of unclosed opening tags.

ELA-1457-1 varnish security update (by )

Fri, 13 Jun 2025 18:06:18 +0200

Package : varnish

Version : 6.1.1-1+deb10u5 (buster)

Related CVEs : CVE-2025-30346 CVE-2025-47905

Two client-side desync vulnerabilities can be triggered in Varnish, a high-performance web accelerator. An attacker can exploit these flaws when using malformed HTTP/1 requests. The primary risk of these vulnerabilities is enabling HTTP request smuggling attacks which could lead to cache poisoning or the bypass of a web application firewall.

ELA-1456-1 ublock-origin security update (by )

Thu, 12 Jun 2025 23:20:12 +0200

Package : ublock-origin

Version : 1.62.0+dfsg-0+deb9u2 (stretch), 1.62.0+dfsg-0+deb10u2 (buster)

Related CVEs : CVE-2025-4215

A flaw was found in ublock-origin, an efficient ads, malware and tracker blocker. A remote attacker could abuse an inefficient regular expression in ublock-origin’s filters to cause a denial-of-service and freeze a web browser.

Debian Contributions: Updated Austin, DebConf 25 preparations continue and more! (by Anupa Ann Joseph)

Anupa Ann Joseph — Wed, 11 Jun 2025 00:00:00 +0000

Debian Contributions: 2025-05

Updated Austin, by Colin Watson and Helmut Grohne

Austin is a frame stack sampling profiler for Python. It allows profiling Python applications without instrumenting them while losing some accuracy in the process, and is the only one of its kind presently packaged for Debian. Unfortunately, it hadn’t been uploaded in a while and hence the last Python version it worked with was 3.8. We updated it to a current version and also dealt with a number of architecture-specific problems (such as unintended sign promotion, 64bit time_t fallout and strictness due to -Wformat-security ) in cooperation with upstream. With luck, it will migrate in time for trixie.

Preparing for DebConf 25, by Stefano Rivera and Santiago Ruano Rincón

DebConf 25 is quickly approaching, and the organization work doesn’t stop. In May, Stefano continued supporting the different teams. Just to give a couple of examples, Stefano made changes in DebConf 25 website to make BoF and sprints submissions public, so interested people can already know if a BoF or sprint for a given subject is planned, allowing coordination with the proposer; or to enhance how statistics are made public to help the work of the local team.

Santiago has participated in different tasks, including the logistics of the conference, like preparing more information about the public transportation that will be available. Santiago has also taken part in activities related to fundraising and reviewing more event proposals.

Miscellaneous contributions

Lucas fixed security issues in Valkey in unstable.
Lucas tried to help with the update of Redis to version 8 in unstable. The package hadn’t been updated for a while due to licensing issues, but now upstream maintainers fixed them.
Lucas uploaded around 20 ruby-* packages to unstable that weren’t updated for some years to make them build reproducible. Thanks to reproducible builds folks to point out those issues. Also some unblock requests (and follow-ups) were needed to make them reach trixie in time for the release.
Lucas is organizing a Debian Outreach session for DebConf 25, reaching out to all interns of Google Summer of Code and Outreachy programs from the last year. The session will be presented by in-person interns and also video recordings from the interns interested in participating but did not manage to attend the conference.
Lucas continuously works on DebConf Content team tasks. Replying to speakers, sponsors, and communicating internally with the team.
Carles improved po-debconf-manager: fixed bugs reported by Catalan translator, added possibility to import packages out of salsa, added using non-default project branches on salsa, polish to get ready for DebCamp.
Carles tested new “apt” in trixie and reported bugs to “apt”, “installation-report”, “libqt6widget6”.
Carles used po-debconf-manager and imported remaining 80 packages, reviewed 20 translations, submitted (MR or bugs) 54 translations.
Carles prepared some topics for translation BoF in DebConf (gathered feedback, first pass on topics).
Helmut gave an introductory talk about the mechanics of Linux namespaces at MiniDebConf Hamburg.
Helmut sent 25 patches for cross compilation failures.
Helmut reviewed, refined and applied a patch from Jochen Sprickerhof to make the Multi-Arch hinter emit more hints for pure Python modules.
Helmut sat down with Christoph Berg (not affiliated with Freexian) and extended unschroot to support directory-based chroots with overlayfs. This is a feature that was lost in transitioning from sbuild’s schroot backend to its unshare backend. unschroot implements the schroot API just enough to be usable with sbuild and otherwise works a lot like the unshare backend. As a result, apt.postgresql.org now performs its builds contained in a user namespace.
Helmut looked into a fair number of rebootstrap failures most of which related to musl or gcc-15 and imported patches or workarounds to make those builds proceed.
Helmut updated dumat to use sqop fixing earlier PGP verification problems thanks to Justus Winter and Neal Walfield explaining a lot of sequoia at MiniDebConf Hamburg.
Helmut got the previous zutils update for /usr-move wrong again and had to send another update.
Helmut looked into why debvm’s autopkgtests were flaky and with lots of help from Paul Gevers and Michael Tokarev tracked it down to a race condition in qemu. He updated debvm to trigger the problem less often and also fixed a wrong dependency using Luca Boccassi’s patch.
Santiago continued the switch to sbuild for Salsa CI (that was stopped for some months), and has been mainly testing linux, since it’s a complex project that heavily customizes the pipeline. Santiago is preparing the changes for linux to submit a MR soon.
In openssh, Colin tracked down some intermittent sshd crashes to a root cause, and issued bookworm and bullseye updates for CVE-2025-32728.
Colin spent some time fixing up fail2ban, mainly reverting a patch that caused its tests to fail and would have banned legitimate users in some common cases.
Colin backported upstream fixes for CVE-2025-48383 (django-select2) and CVE-2025-47287 (python-tornado) to unstable.
Stefano supported video streaming and recording for 2 miniDebConfs in May: Maceió and Hamburg. These had overlapping streams for one day, which is a first for us.
Stefano packaged the new version of python-virtualenv that includes our patches for not including the wheel for wheel.
Stefano got all involved parties to agree (in principle) to meet at DebConf for a mediated discussion on a dispute that was brought to the technical committee.
Anupa coordinated the swag purchase for DebConf 25 with Juliana and Nattie.
Anupa joined the publicity team meeting for discussing the upcoming events and BoF at DebConf 25.
Anupa worked with the publicity team to publish Bits post to welcome GSoc 2025 Interns.

Monthly report about Debian Long Term Support, May 2025 (by Roberto C. Sánchez)

Roberto C. Sánchez — Wed, 11 Jun 2025 00:00:00 +0000

Like each month, have a look at the work funded by Freexian’s Debian LTS offering.

Debian LTS contributors

In May, 22 contributors have been paid to work on Debian LTS, their reports are available:

Abhijith PA did 8.0h (out of 0.0h assigned and 8.0h from previous period).
Adrian Bunk did 26.0h (out of 26.0h assigned).
Andreas Henriksson did 1.0h (out of 15.0h assigned and 3.0h from previous period), thus carrying over 17.0h to the next month.
Andrej Shadura did 3.0h (out of 10.0h assigned), thus carrying over 7.0h to the next month.
Bastien Roucariès did 20.0h (out of 20.0h assigned).
Ben Hutchings did 8.0h (out of 20.0h assigned and 4.0h from previous period), thus carrying over 16.0h to the next month.
Carlos Henrique Lima Melara did 12.0h (out of 11.0h assigned and 1.0h from previous period).
Chris Lamb did 15.5h (out of 0.0h assigned and 15.5h from previous period).
Daniel Leidert did 25.0h (out of 26.0h assigned), thus carrying over 1.0h to the next month.
Emilio Pozuelo Monfort did 21.0h (out of 16.75h assigned and 11.0h from previous period), thus carrying over 6.75h to the next month.
Guilhem Moulin did 11.5h (out of 8.5h assigned and 6.5h from previous period), thus carrying over 3.5h to the next month.
Jochen Sprickerhof did 3.5h (out of 8.75h assigned and 17.5h from previous period), thus carrying over 22.75h to the next month.
Lee Garrett did 26.0h (out of 12.75h assigned and 13.25h from previous period).
Lucas Kanashiro did 20.0h (out of 18.0h assigned and 2.0h from previous period).
Markus Koschany did 20.0h (out of 26.25h assigned), thus carrying over 6.25h to the next month.
Roberto C. Sánchez did 20.75h (out of 24.0h assigned), thus carrying over 3.25h to the next month.
Santiago Ruano Rincón did 15.0h (out of 12.5h assigned and 2.5h from previous period).
Sean Whitton did 6.25h (out of 6.0h assigned and 2.0h from previous period), thus carrying over 1.75h to the next month.
Sylvain Beucler did 26.25h (out of 26.25h assigned).
Thorsten Alteholz did 15.0h (out of 15.0h assigned).
Tobias Frost did 12.0h (out of 12.0h assigned).
Utkarsh Gupta did 1.0h (out of 15.0h assigned), thus carrying over 14.0h to the next month.

Evolution of the situation

In May, we released 54 DLAs.

The LTS Team was particularly active in May, publishing a higher than normal number of advisories, as well as helping with a wide range of updates to packages in stable and unstable, plus some other interesting work. We are also pleased to welcome several updates from contributors outside the regular team.

Notable security updates:
- containerd, prepared by Andreas Henriksson, fixes a vulnerability that could cause containers launched as non-root users to be run as root
- libapache2-mod-auth-openidc, prepared by Moritz Schlarb, fixes a vulnerability which could allow an attacker to crash an Apache web server with libapache2-mod-auth-openidc installed
- request-tracker4, prepared by Andrew Ruthven, fixes multiple vulnerabilities which could result in information disclosure, cross-site scripting and use of weak encryption for S/MIME emails
- postgresql-13, prepared by Bastien Roucariès, fixes an application crash vulnerability that could affect the server or applications using libpq
- dropbear, prepared by Guilhem Moulin, fixes a vulnerability which could potentially result in execution of arbitrary shell commands
- openjdk-17, openjdk-11, prepared by Thorsten Glaser, fixes several vulnerabilities, which include denial of service, information disclosure or bypass of sandbox restrictions
- glibc, prepared by Sean Whitton, fixes a privilege escalation vulnerability
Notable non-security updates:
- wireless-regdb, prepared by Ben Hutchings, updates information reflecting changes to radio regulations in many countries

This month’s contributions from outside the regular team include the libapache2-mod-auth-openidc update mentioned above, prepared by Moritz Schlarb (the maintainer of the package); the update of request-tracker4, prepared by Andrew Ruthven (the maintainer of the package); and the updates of openjdk-17 and openjdk-11, also noted above, prepared by Thorsten Glaser.

Additionally, LTS Team members contributed stable updates of the following packages:

rubygems and yelp/yelp-xsl, prepared by Lucas Kanashiro
simplesamlphp, prepared by Tobias Frost
libbson-xs-perl, prepared by Roberto C. Sánchez
fossil, prepared by Sylvain Beucler
setuptools and mydumper, prepared by Lee Garrett
redis and webpy, prepared by Adrian Bunk
xrdp, prepared by Abhijith PA
tcpdf, prepared by Santiago Ruano Rincón
kmail-account-wizard, prepared by Thorsten Alteholz

Other contributions were also made by LTS Team members to packages in unstable:

proftpd-dfsg DEP-8 tests (autopkgtests) were provided to the maintainer, prepared by Lucas Kanashiro
a regular upload of libsoup2.4, prepared by Sean Whitton
a regular upload of setuptools, prepared by Lee Garrett

Freexian, the entity behind the management of the Debian LTS project, has been working for some time now on the development of an advanced CI platform for Debian-based distributions, called Debusine. Recently, Debusine has reached a level of feature implementation that makes it very usable. Some members of the LTS Team have been using Debusine informally, and during May LTS coordinator Santiago Ruano Rincón has made a call for the team to help with testing of Debusine, and to help evaluate its suitability for the LTS Team to eventually begin using as the primary mechanism for uploading packages into Debian. Team members who have started using Debusine are providing valuable feedback to the Debusine development team, thus helping to improve the platform for all users. Actually, a number of updates, for both bullseye and bookworm, made during the month of May were handled using Debusine, e.g. rubygems’s DLA-4163-1.

By the way, if you are a Debian Developer, you can easily test Debusine following the instructions found at https://wiki.debian.org/DebusineDebianNet.

Thanks to our sponsors

Sponsors that joined recently are in bold.

Platinum sponsors:
- Toshiba Corporation (for 116 months)
- Civil Infrastructure Platform (CIP) (for 84 months)
- VyOS Inc (for 48 months)
Gold sponsors:
- Roche Diagnostics International AG (for 126 months)
- Akamai - Linode (for 120 months)
- Babiel GmbH (for 110 months)
- Plat’Home (for 109 months)
- University of Oxford (for 66 months)
- Deveryware (for 53 months)
- EDF SA (for 38 months)
- Dataport AöR (for 13 months)
- CERN (for 11 months)
Silver sponsors:
- Domeneshop AS (for 131 months)
- Nantes Métropole (for 125 months)
- Univention GmbH (for 117 months)
- Université Jean Monnet de St Etienne (for 117 months)
- Ribbon Communications, Inc. (for 111 months)
- Exonet B.V. (for 100 months)
- Leibniz Rechenzentrum (for 95 months)
- Ministère de l’Europe et des Affaires Étrangères (for 78 months)
- Cloudways by DigitalOcean (for 68 months)
- Dinahosting SL (for 66 months)
- Bauer Xcel Media Deutschland KG (for 60 months)
- Platform.sh SAS (for 60 months)
- Moxa Inc. (for 54 months)
- sipgate GmbH (for 52 months)
- OVH US LLC (for 50 months)
- Tilburg University (for 50 months)
- GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 41 months)
- THINline s.r.o. (for 14 months)
- Copenhagen Airports A/S (for 8 months)
Bronze sponsors:
- Evolix (for 131 months)
- Seznam.cz, a.s. (for 131 months)
- Intevation GmbH (for 128 months)
- Linuxhotel GmbH (for 128 months)
- Daevel SARL (for 127 months)
- Bitfolk LTD (for 126 months)
- Megaspace Internet Services GmbH (for 126 months)
- Greenbone AG (for 125 months)
- NUMLOG (for 125 months)
- WinGo AG (for 124 months)
- Entr’ouvert (for 115 months)
- Adfinis AG (for 113 months)
- Tesorion (for 108 months)
- Laboratoire LEGI - UMR 5519 / CNRS (for 107 months)
- Bearstech (for 99 months)
- LiHAS (for 99 months)
- Catalyst IT Ltd (for 94 months)
- Demarcq SAS (for 88 months)
- Université Grenoble Alpes (for 74 months)
- TouchWeb SAS (for 66 months)
- SPiN AG (for 63 months)
- CoreFiling (for 59 months)
- Institut des sciences cognitives Marc Jeannerod (for 54 months)
- Observatoire des Sciences de l’Univers de Grenoble (for 50 months)
- Tem Innovations GmbH (for 45 months)
- WordFinder.pro (for 44 months)
- CNRS DT INSU Résif (for 43 months)
- Soliton Systems K.K. (for 38 months)
- Alter Way (for 36 months)
- Institut Camille Jordan (for 26 months)
- SOBIS Software GmbH (for 11 months)
- Tuxera Inc.

ELA-1455-1 curl security update (by )

Mon, 09 Jun 2025 22:38:21 -0300

Package : curl

Version : 7.38.0-4+deb8u29 (jessie)

Three security issues were found in Curl, an easy-to-use client-side URL transfer library and command line tool:

CVE-2023-27534

A path traversal vulnerability exists in curl <8.0.0 SFTP implementation
causes the tilde (~) character to be wrongly replaced when used as a prefix
in the first path element, in addition to its intended use as the first
element to indicate a path relative to the user's home directory. Attackers
can exploit this flaw to bypass filtering or execute arbitrary code by
crafting a path like /~2/foo while accessing a server with a specific user.

CVE-2023-28321

An improper certificate validation vulnerability exists in curl <v8.1.0 in
the way it supports matching of wildcard patterns when listed as "Subject
Alternative Name" in TLS server certificates. curl can be built to use its
own name matching function for TLS rather than one provided by a TLS
library. This private wildcard matching function would match IDN
(International Domain Name) hosts incorrectly and could as a result accept
patterns that otherwise should mismatch. IDN hostnames are converted to
puny code before used for certificate checks. Puny coded names always start
with `xn--` and should not be allowed to pattern match, but the wildcard
check in curl could still check for `x*`, which would match even though the
IDN name most likely contained nothing even resembling an `x`.

CVE-2023-28322

An information disclosure vulnerability exists in curl <v8.1.0 when doing
HTTP(S) transfers, libcurl might erroneously use the read callback
(`CURLOPT_READFUNCTION`) to ask for data to send, even when the
`CURLOPT_POSTFIELDS` option has been set, if the same handle previously
was used to issue a `PUT` request which used that callback. This flaw may
surprise the application and cause it to misbehave and either send off the
wrong data or use memory after free or similar in the second transfer. The
problem exists in the logic for a reused handle when it is (expected to be)
changed from a PUT to a POST.

ELA-1068-2 curl regression update (by )

Mon, 09 Jun 2025 14:47:49 -0300

Package : curl

Version : 7.52.1-5+deb9u24 (stretch), 7.64.0-4+deb10u12 (buster)

The fix for CVE-2023-27534 in curl made the handling of tilde (~) way more strict in sftp mode and caused a regression when trying to list the home dir with sftp://host/~.

ELA-1454-1 twitter-bootstrap3 security update (by )

Mon, 09 Jun 2025 15:03:15 +0200

Package : twitter-bootstrap3

Version : 3.3.7+dfsg-2+deb9u3~deb8u2 (jessie), 3.3.7+dfsg-2+deb9u4 (stretch), 3.4.1+dfsg-1+deb10u2 (buster)

Related CVEs : CVE-2025-1647

A cross-site scripting (XSS) vulnerability has been identified within the Bootstrap 3 Popover component and Bootstrap 3 Tooltip component, which allows unsanitized HTML to be used.

If you use bootstrap through a module bundler, you may need to rebuild your application.

ELA-1453-1 modsecurity-apache security update (by )

Mon, 09 Jun 2025 16:02:51 +0300

Package : modsecurity-apache

Version : 2.8.0-3+deb8u4 (jessie), 2.9.1-2+deb9u4 (stretch), 2.9.3-3+deb11u4~deb10u1 (buster)

Related CVEs : CVE-2025-48866

DoS with sanitiseArg/sanitizeArg has been fixed in modsecurity-apache, a module for the Apache webserver to tighten Web application security.

ELA-1452-1 glibc security update (by )

Sun, 08 Jun 2025 09:40:31 +0100

Package : glibc

Version : 2.28-10+deb10u5 (buster)

Related CVEs : CVE-2025-0395 CVE-2025-4802

Multiple vulnerabilities were discovered in the GNU C Library, the C standard library implementation used by Debian.

CVE-2024-0395

When the function fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.

CVE-2025-4802

Privilege escalation may be possible in statically compiled setuid binaries that call dlopen(), due to an untrusted LD_LIBRARY_PATH environment variable vulnerability. This includes calls to dlopen() internal to glibc itself, made after user calls to setlocale() or to NSS functions such as getaddrinfo().

ELA-1451-1 glibc security update (by )

Sun, 08 Jun 2025 09:39:20 +0100

Package : glibc

Version : 2.19-18+deb8u15 (jessie), 2.24-11+deb9u8 (stretch)

Related CVEs : CVE-2025-0395

A flaw was found in the implementation of assert() in the GNU C Library, the C standard library implementation used by Debian. When the function fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.

ELA-1448-1 python-django security update (by )

Sat, 07 Jun 2025 10:03:49 -0700

Package : python-django

Version : 1.7.11-1+deb8u20 (jessie)

A number of vulnerabilities were discovered in Django, a popular Python-based web development framework:

CVE-2025-32873: Prevent an issue where the strip_tags() function in django.utils.html was vulnerable to a potential denial-of-service (DoS) attack when processing inputs containing large sequences of incomplete HTML tags. The template filter |striptags was similarly vulnerable, as it is built on top of strip_tags().
CVE-2024-24680: Prevent an issue where the |intcomma template filter was subject to a potential denial-of-service attack when used with very long input strings.
CVE-2023-36053: Prevent an potential denial-of-service issue in the EmailValidator and URLValidator classes that could have been exploited via a very large number of domain name labels containing emails and/or URLs.

ELA-1450-1 krb5 security update (by )

Sat, 07 Jun 2025 10:48:15 +0200

Package : krb5

Version : 1.12.1+dfsg-19+deb8u11 (jessie), 1.15-1+deb9u8 (stretch), 1.17-3+deb10u9 (buster)

Related CVEs : CVE-2025-3576

A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering.

In order to fix CVE-2025-3576, vulnerable cryptographic algorithms for tickets need to be disabled explicitly with the new allow_rc4 or allow_des3 variables.

According to the vulnerability report “Kerberos’ RC4-HMAC broken in practice: spoofing PACs with MD5 collisions”, disabling this cryptographic algorithm suite may break some older authentication systems, and administrators should test carefully.

Because of the risk of breaking certain configurations, the new allow_rc4 or allow_des3 are being treated as having a default value of ’true’ for updates to older Debian releases. This leaves the 3DES and RC4 algorithms enabled, but administrators are strongly encouraged to disable them after verifying compatibility in their environments.

ELA-1449-1 libfile-find-rule-perl security update (by )

Fri, 06 Jun 2025 23:56:14 +0300

Package : libfile-find-rule-perl

Version : 0.34-1+deb11u1~deb9u1 (stretch), 0.34-1+deb11u1~deb10u1 (buster)

Related CVEs : CVE-2011-10007

Arbitrary code execution with crafted file names was fixed in libfile-find-rule-perl, a module to search for files based on rules.

ELA-1447-1 net-tools security update (by )

Sat, 31 May 2025 23:58:20 +0300

Package : net-tools

Version : 1.60-26+deb8u1 (jessie), 1.60+git20161116.90da8a0-1+deb9u1 (stretch), 1.60+git20180626.aebd88e-1+deb10u1 (buster)

Related CVEs : CVE-2025-46836

Multiple stack-based buffer overflows have been fixed in the net-tools network utilities.

ELA-1446-1 libvpx security update (by )

Sat, 31 May 2025 23:49:38 +0300

Package : libvpx

Version : 1.6.1-3+deb9u7 (stretch), 1.7.0-3+deb10u4 (buster)

Related CVEs : CVE-2025-5283

Double free on init failure has been fixed in libvpx, a library for decoding and encoding VP8 and VP9 videos.

ELA-1445-1 espeak-ng security update (by )

Sat, 31 May 2025 10:55:02 +0200

Package : espeak-ng

Version : 1.49.0+dfsg-11+deb9u1 (stretch), 1.49.2+dfsg-8+deb10u2 (buster)

Several issues have been found in espeak-ng, a Multi-lingual software speech synthesizer. The issues are related to buffer overflow or underflow in several functions and a floating point exception.

ELA-1444-1 kmail-account-wizard security update (by )

Sat, 31 May 2025 01:12:19 +0200

Package : kmail-account-wizard

Version : 4:18.08.3-1+deb10u1 (buster)

Related CVEs : CVE-2020-15954 CVE-2024-50624

Two issues have been found in kmail-account-wizard, a wizard for KDE PIM applications account setup.

One issue is about a man-in-the-middle-attack when using autoconf for retrieving configuration. The other issue is about a misleading UI, in which the state of encryption is shown wrong.

Please also note that for configuration with autoconf.example.com, the config is first fetched with https and the former http is used only as fallback. For configuration via example.com/.well-known/autoconfig the config is now fetched only with https.

ELA-1443-1 linux-6.1 security update (by )

Fri, 30 May 2025 10:53:02 +0200

Package : linux-6.1

Version : 6.1.137-1~deb9u1 (stretch), 6.1.137-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

This additionally includes many more bug fixes from stable updates 6.1.130-6.1.137 and an update of the Microsoft Azure Network Adapter (mana) driver.

ELA-1442-1 linux-5.10 security update (by )

Fri, 30 May 2025 09:36:27 +0200

Package : linux-5.10

Version : 5.10.237-1~deb8u1 (jessie), 5.10.237-1~deb9u1 (stretch), 5.10.237-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

This additionally includes many more bug fixes from stable updates 5.10.235-5.10.237.

ELA-1441-1 modsecurity-apache security update (by )

Thu, 29 May 2025 23:56:19 +0300

Package : modsecurity-apache

Version : 2.8.0-3+deb8u3 (jessie), 2.9.1-2+deb9u3 (stretch), 2.9.3-1+deb10u3 (buster)

Related CVEs : CVE-2025-47947

DoS with sanitiseMatchedBytes has been fixed in modsecurity-apache, a module for the Apache webserver to tighten Web application security.

ELA-1440-1 webpy security update (by )

Thu, 29 May 2025 14:28:13 +0300

Package : webpy

Version : 1:0.38-1+deb9u1 (stretch)

Related CVEs : CVE-2025-3818

PostgreSQL SQL injection has been fixed in web.py, a Web framework for Python applications.

ELA-1438-1 yelp security update (by )

Wed, 28 May 2025 17:32:20 -0300

Package : yelp

Version : 3.22.0-1+deb9u1 (stretch), 3.31.90-1+deb10u1 (buster)

Related CVEs : CVE-2025-3155

A flaw was found in Yelp. The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrate user files to an external environment.

ELA-1439-1 yelp-xsl security update (by )

Wed, 28 May 2025 17:31:33 -0300

Package : yelp-xsl

Version : 3.20.1-2+deb9u1 (stretch), 3.31.90-1+deb10u1 (buster)

Related CVEs : CVE-2025-3155

ELA-1437-1 libbson security update (by )

Mon, 26 May 2025 17:08:23 -0400

Package : libbson

Version : 1.4.2-1+deb9u1 (stretch)

Multiple vulnerabilities have been discovered in the MongoDB BSON library.

CVE-2017-14227

The bson_iter_codewscope function in bson-iter.c miscalculates a
bson_utf8_validate length argument, which allows remote attackers to
cause a denial of service (heap-based buffer over-read in the
bson_utf8_validate function in bson-utf8.c).

CVE-2018-16790

_bson_iter_next_internal in bson-iter.c has a heap-based buffer
over-read via a crafted bson buffer.

CVE-2023-0437

When calling bson_utf8_validate on some inputs a loop with an exit
condition that cannot be reached may occur, i.e. an infinite loop.

CVE-2024-6381

The bson_strfreev function in the MongoDB C driver library may be
susceptible to an integer overflow where the function will try to
free memory at a negative offset. This may result in memory
corruption.

CVE-2024-6383

The bson_string_append function in MongoDB C Driver may be
vulnerable to a buffer overflow where the function might attempt to
allocate too small of buffer and may lead to memory corruption of
neighbouring heap memory.

CVE-2025-0755

The various bson_append functions in the MongoDB C driver library
may be susceptible to buffer overflow when performing operations
that could result in a final BSON document which exceeds the maximum
allowable size (INT32_MAX), resulting in a segmentation fault and
possible application crash.

ELA-1435-1 libfcgi-perl security update (by )

Mon, 26 May 2025 23:00:48 +0200

Package : libfcgi-perl

Version : 0.77-1+deb8u2 (jessie), 0.78-2+deb9u1 (stretch), 0.78-2+deb10u1 (buster)

Related CVEs : CVE-2025-40907

libfcgi-perl is a helper module for FastCGI, a binary protocol for interfacing interactive programs with a web server. It was found the included FastCGI library is affected by CVE-2025-23016, causing an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket which may lead to a denial of service or other unspecified impact.

ELA-1434-1 subversion security update (by )

Mon, 26 May 2025 22:49:55 +0200

Package : subversion

Version : 1.8.10-6+deb8u10 (jessie), 1.9.5-1+deb9u7 (stretch), 1.10.4-1+deb10u4 (buster)

Related CVEs : CVE-2024-46901

A flaw has been discovered in subversion, an advanced version control system. The patch for CVE-2013-1968 was incomplete and unintentionally left mod_dav_svn vulnerable to control characters in filenames. If a path or a revision-property which contains control characters is committed to a repository then SVN operations served by mod_dav_svn can be disrupted.

ELA-1433-1 glib2.0 security update (by )

Mon, 26 May 2025 22:23:44 +0200

Package : glib2.0

Version : 2.42.1-1+deb8u9 (jessie)

Related CVEs : CVE-2025-4373

A flaw was found in GLib, a bundle of low-level system libraries, which is vulnerable to an integer overflow in the g_string_insert_unichar() function. When the position at which to insert the character is large, the position will overflow, leading to a buffer underwrite.

Additionally this update addresses a regression introduced in ELA-625-1 in order to fix CVE-2021-27218. The inline keyword in the gmem.h header file was not defined if software used an older C standard which led to a build failure when building reverse-dependencies of GLib, e.g. subversion.

ELA-1436-1 gimp security update (by )

Mon, 26 May 2025 15:53:36 +0300

Package : gimp

Version : 2.8.18-1+deb9u4 (stretch), 2.10.8-2+deb10u3 (buster)

Related CVEs : CVE-2025-5473

ICO file parsing integer overflow has been fixed in GIMP, the GNU Image Manipulation Program.

ELA-1432-1 libphp-adodb security update (by )

Sat, 24 May 2025 23:52:15 +0300

Package : libphp-adodb

Version : 5.20.14-1+deb10u2 (buster)

Related CVEs : CVE-2025-46337

SQL injection in the PostgreSQL driver has been fixed in the ADOdb database access library for PHP.

ELA-1431-1 mongo-c-driver security update (by )

Wed, 21 May 2025 09:58:35 -0400

Package : mongo-c-driver

Version : 1.14.0-1+deb10u1 (buster)

Multiple vulnerabilities have been discovered in the MongoDB C Driver.

CVE-2021-32050

Some MongoDB Drivers may erroneously publish events containing
authentication-related data to a command listener configured by an
application. The published events may contain security-sensitive
data when specific authentication-related commands are executed.
Without due care, an application may inadvertently expose this
sensitive information, e.g., by writing it to a log file. This issue
only arises if an application enables the command listener feature
(this is not enabled by default).

CVE-2023-0437

When calling bson_utf8_validate on some inputs a loop with an exit
condition that cannot be reached may occur, i.e. an infinite loop.

CVE-2024-6381

The bson_strfreev function in the MongoDB C driver library may be
susceptible to an integer overflow where the function will try to
free memory at a negative offset. This may result in memory
corruption.

CVE-2024-6383

The bson_string_append function in MongoDB C Driver may be
vulnerable to a buffer overflow where the function might attempt to
allocate too small of buffer and may lead to memory corruption of
neighbouring heap memory.

CVE-2025-0755

The various bson_append functions in the MongoDB C driver library
may be susceptible to buffer overflow when performing operations
that could result in a final BSON document which exceeds the maximum
allowable size (INT32_MAX), resulting in a segmentation fault and
possible application crash.

ELA-1430-1 vim security update (by )

Wed, 21 May 2025 10:31:07 +0200

Package : vim

Version : 2:7.4.488-7+deb8u12 (jessie), 2:8.0.0197-4+deb9u12 (stretch), 2:8.1.0875-5+deb10u7 (buster)

Multiple vulnerabilities have been fixed in the editor vim.

CVE-2023-4738

buffer-overflow in vim_regsub_both()

CVE-2023-5344

buffer-overflow in trunc_string()

CVE-2024-22667

stack-buffer-overflow in option callback functions

CVE-2024-43802

heap-buffer-overflow in ins_typebuf()

CVE-2024-47814

use-after-free when closing a buffer

ELA-1429-1 openjdk-8 security update (by )

Tue, 20 May 2025 12:26:21 +0200

Package : openjdk-8

Version : 8u452-ga-1~deb8u1 (jessie), 8u452-ga-1~deb9u1 (stretch)

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, information disclosure or bypass of sandbox restrictions.

ELA-1428-1 openjdk-11 security update (by )

Tue, 20 May 2025 10:37:25 +0200

Package : openjdk-11

Version : 11.0.27+6-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, information disclosure or bypass of sandbox restrictions.

ELA-1427-1 open-vm-tools security update (by )

Mon, 19 May 2025 15:33:03 +0200

Package : open-vm-tools

Version : 2:10.1.5-5055683-4+deb9u7 (stretch), 2:10.3.10-1+deb10u7 (buster)

Related CVEs : CVE-2025-22247

It was discovered that insecure file handling in open-vm-tools, an open source implementation of VMware Tools, may allow an unprivileged local guest user to tamper local files to trigger insecure file operations within that VM.

ELA-1426-1 ghostscript security update (by )

Mon, 19 May 2025 00:49:04 +0200

Package : ghostscript

Version : 9.26a~dfsg-0+deb8u15 (jessie), 9.26a~dfsg-0+deb9u14 (stretch), 9.27~dfsg-2+deb10u11 (buster)

Multiple vulnerabilities affected ghostscript an interpreter for PostScript and Portable Document Format (PDF) page description languages.

CVE-2025-27830

Buffer overflow via serialization of DollarBlend

CVE-2025-27831

Unicode decoding overrun

CVE-2025-27832

Integer overflow leading to buffer overflow

CVE-2025-27835

Confusion between bytes and shorts

CVE-2025-27836

Buffer overflow in bj10v device

ELA-1425-1 intel-microcode security update (by )

Sun, 18 May 2025 19:23:37 +0200

Package : intel-microcode

Version : 3.20250512.1~deb8u1 (jessie), 3.20250512.1~deb9u1 (stretch), 3.20250512.1~deb10u1 (buster)

Microcode updates have been released for Intel(R) processors, addressing multiple potential vulnerabilties that may allow denial of service or information disclosure.

CVE-2024-28956

Exposure of Sensitive Information in Shared Microarchitectural
Structures during Transient Execution for some Intel(R) Processors
may allow an authenticated user to potentially enable information
disclosure via local access.

CVE-2024-43420

Exposure of sensitive information caused by shared
microarchitectural predictor state that influences transient
execution for some Intel Atom(R) processors may allow an
authenticated user to potentially enable information disclosure via
local access.

CVE-2024-45332

Exposure of sensitive information caused by shared
microarchitectural predictor state that influences transient
execution in the indirect branch predictors for some Intel(R)
Processors may allow an authenticated user to potentially enable
information disclosure via local access.

CVE-2025-20012

Incorrect behavior order for some Intel(R) Core™ Ultra Processors
may allow an unauthenticated user to potentially enable information
disclosure via physical access.

CVE-2025-20054

Uncaught exception in the core management mechanism for some
Intel(R) Processors may allow an authenticated user to potentially
enable denial of service via local access.

CVE-2025-20103

Insufficient resource pool in the core management mechanism for some
Intel(R) Processors may allow an authenticated user to potentially
enable denial of service via local access.

CVE-2025-20623

Exposure of sensitive information caused by shared
microarchitectural predictor state that influences transient
execution for some Intel(R) Core™ processors (10th Generation) may
allow an authenticated user to potentially enable information
disclosure via local access.

CVE-2025-24495

Incorrect initialization of resource in the branch prediction unit
for some Intel(R) Core™ Ultra Processors may allow an authenticated
user to potentially enable information disclosure via local access.

ELA-1424-1 libraw security update (by )

Sun, 18 May 2025 14:43:37 +0200

Package : libraw

Version : 0.17.2-6+deb9u6 (stretch), 0.19.2-2+deb10u5 (buster)

CVE-2025-43961: Out-of-bounds read in the Fujifilm 0xf00c tag parser. (This issue did not affect 0.17.2-6+deb9u5 and earlier versions.)
CVE-2025-43962: Out-of-bounds reads for tag 0x412 processing, related to large w0 or w1 values or the frac and mult calculations.
CVE-2025-43963: phase_one_correct() allows out-of-buffer access because split_col and split_row values are not checked in 0x041f tag processing.
CVE-2025-43964: Tag 0x412 processing in phase_one_correct() does not enforce minimum w0 and w1 values.

ELA-1423-1 dropbear security update (by )

Sun, 18 May 2025 08:59:41 +0200

Package : dropbear

Version : 2018.76-5+deb10u3 (buster)

Related CVEs : CVE-2025-47203

Marcin Nowak discovered that dbclient(1) hostname arguments with a comma (for multihop) are passed to the shell which could result in running arbitrary shell commands locally. Such behavior could have security implications in situations where dbclient(1) is passed untrusted hostname arguments.

The multihop command is now executed directly (no shell is involved).

ELA-1422-1 simplesamlphp security update (by )

Sat, 17 May 2025 10:22:36 +0200

Package : simplesamlphp

Version : 1.16.3-1+deb10u4 (buster)

Related CVEs : CVE-2020-5225 CVE-2025-27773

Multiple vulnerabilites have been discovered in SimpleSAMLphp, a framework for authentication, primarily via the SAML protocol.

CVE-2020-5225

Log injection in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script, which receives error reports and sends them via email to the system administrator, did not properly sanitize the report identifier obtained from the request. This allows an attacker, under specific circumstances, to inject new log lines by manually crafting this report ID. When configured to use the file logging handler, SimpleSAMLphp will output all its logs by appending each log line to a given file. Since the reportID parameter received in a request sent to www/errorreport.php was not properly sanitized, it was possible to inject newline characters into it, effectively allowing a malicious user to inject new log lines with arbitrary content.

CVE-2025-27773

The SimpleSAMLphp SAML2 library is a PHP library for SAML2 related functionality. Prior to versions 4.17.0 and 5.0.0-alpha.20, there is a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message. Versions 4.17.0 and 5.0.0-alpha.20 contain a fix for the issue.

ELA-1421-1 vips security update (by )

Fri, 16 May 2025 13:24:18 +0200

Package : vips

Version : 8.7.4-1+deb10u2 (buster)

Related CVEs : CVE-2021-27847

Division by zero issues were discovered in vips_eye_point() and vips_mask_point(), potentially leading to denial of service.

Monthly report about Debian Long Term Support, April 2025 (by Roberto C. Sánchez)

Roberto C. Sánchez — Fri, 16 May 2025 00:00:00 +0000

Like each month, have a look at the work funded by Freexian’s Debian LTS offering.

Debian LTS contributors

In April, 22 contributors have been paid to work on Debian LTS, their reports are available:

Adrian Bunk did 56.25h (out of 56.25h assigned).
Andreas Henriksson did 15.0h (out of 20.0h assigned), thus carrying over 5.0h to the next month.
Andrej Shadura did 10.0h (out of 6.0h assigned and 4.0h from previous period).
Bastien Roucariès did 31.5h (out of 31.5h assigned).
Ben Hutchings did 8.0h (out of 0.0h assigned and 12.0h from previous period), thus carrying over 4.0h to the next month.
Carlos Henrique Lima Melara did 11.0h (out of 12.0h assigned), thus carrying over 1.0h to the next month.
Chris Lamb did 18.0h (out of 18.0h assigned).
Daniel Leidert did 26.0h (out of 26.0h assigned).
Emilio Pozuelo Monfort did 30.0h (out of 39.25h assigned and 0.25h from previous period), thus carrying over 9.5h to the next month.
Guilhem Moulin did 8.5h (out of 3.25h assigned and 11.75h from previous period), thus carrying over 6.5h to the next month.
Jochen Sprickerhof did 12.5h (out of 20.75h assigned and 9.25h from previous period), thus carrying over 17.5h to the next month.
Lee Garrett did 26.25h (out of 7.75h assigned and 31.75h from previous period), thus carrying over 13.25h to the next month.
Lucas Kanashiro did 50.0h (out of 0.0h assigned and 52.0h from previous period), thus carrying over 2.0h to the next month.
Markus Koschany did 39.5h (out of 39.5h assigned).
Roberto C. Sánchez did 9.0h (out of 0.0h assigned and 12.0h from previous period), thus carrying over 3.0h to the next month.
Santiago Ruano Rincón did 12.5h (out of 7.5h assigned and 7.5h from previous period), thus carrying over 2.5h to the next month.
Sean Whitton did 7.0h (out of 7.0h assigned).
Stefano Rivera did 0.5h (out of 0.0h assigned and 10.0h from previous period), thus carrying over 9.5h to the next month.
Sylvain Beucler did 39.5h (out of 39.25h assigned and 0.25h from previous period).
Thorsten Alteholz did 15.0h (out of 15.0h assigned).
Tobias Frost did 12.0h (out of 7.75h assigned and 4.25h from previous period).
Utkarsh Gupta did 2.0h (out of 2.0h assigned).

Evolution of the situation

In April, we released 46 DLAs.

Notable security updates:
- jetty9, prepared by Markus Koschany, fixes an information disclosure and potential remote code execution vulnerability
- zabbix, prepared by Tobias Frost, fixes several vulnerabilities, encompassing denial of service, information disclosure or remote code inclusion
- glibc, prepared by Sean Whitton, fixes a buffer overflow vulnerability
Notable non-security updates:
- tzdata, prepared by Emilio Pozuelo Monfort, brings the latest timezone database release
- php-horde-editor and php-horde-imp, prepared by Sylvain Beucler, have been updated to switch from CKEditor v3, which is EOL, to CKEditor v4; this builds upon work done last month by Sylvain and Bastien for the complete removal of ckeditor3
- distro-info-data, prepared by Stefano Rivera, adds information concerning future Debian and Ubuntu releases

The LTS team continues to welcome the collaboration of maintainers and other interested parties from outside the regular team. In April, we had external updates contributed by: Yadd - lemonldap-ng and Moritz Schlarb - libapache2-mod-auth-openidc

A point release of the current stable Debian 12 (codename “bookworm”) is planned for mid-May and several LTS contributors have prepared packages for this update, many of them prepared in conjunction with related LTS updates of the same packages:

glib2.0, haproxy, imagemagick, poppler, and python-h11, prepared by Adrian Bunk
rubygems, prepared by Lucas Kanashiro
ruby3.1 (in collaboration with Lucas Kanashiro), twitter-bootstrap3, twitterboot-strap4, wpa, and erlang, prepared by Bastien Roucariès (corresponding updates of twitter-bootstrap3 and twitter-bootstrap4 were also uploaded to Debian unstable)
abseil, prepared by Tobias Frost (a corresponding update was also uploaded to Debian unstable)
vips, prepared by Guilhem Moulin

Additional updates of ruby3.3 and rubygems were prepared for Debian unstable by Lucas Kanashiro.

And finally, a highlight of our continued commitment to enhancing long term support efforts in upstream projects. Freexian, as the primary entity behind the management and execution of the LTS project, has partnered with Invisible Things Lab to extend the upstream security support of Xen 4.17, which is shipped in Debian 12 “bookworm” (the current stable release). This partnership will result in significantly improved lifecycle support for users of Xen on bookworm, and members of the LTS team will play a part in this endeavour. The Freexian announcement has additional details.

Thanks to our sponsors

Sponsors that joined recently are in bold.

Platinum sponsors:
- Toshiba Corporation (for 115 months)
- Civil Infrastructure Platform (CIP) (for 83 months)
- VyOS Inc (for 47 months)
Gold sponsors:
- Roche Diagnostics International AG (for 125 months)
- Akamai - Linode (for 120 months)
- Babiel GmbH (for 109 months)
- Plat’Home (for 108 months)
- University of Oxford (for 65 months)
- Deveryware (for 53 months)
- EDF SA (for 37 months)
- Dataport AöR (for 12 months)
- CERN (for 10 months)
Silver sponsors:
- Domeneshop AS (for 130 months)
- Nantes Métropole (for 124 months)
- Univention GmbH (for 116 months)
- Université Jean Monnet de St Etienne (for 116 months)
- Ribbon Communications, Inc. (for 110 months)
- Exonet B.V. (for 100 months)
- Leibniz Rechenzentrum (for 94 months)
- Ministère de l’Europe et des Affaires Étrangères (for 78 months)
- Cloudways by DigitalOcean (for 67 months)
- Dinahosting SL (for 65 months)
- Bauer Xcel Media Deutschland KG (for 59 months)
- Platform.sh SAS (for 59 months)
- Moxa Inc. (for 53 months)
- sipgate GmbH (for 51 months)
- OVH US LLC (for 49 months)
- Tilburg University (for 49 months)
- GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 40 months)
- THINline s.r.o. (for 13 months)
- Copenhagen Airports A/S (for 7 months)
Bronze sponsors:
- Seznam.cz, a.s. (for 131 months)
- Evolix (for 130 months)
- Intevation GmbH (for 127 months)
- Linuxhotel GmbH (for 127 months)
- Daevel SARL (for 126 months)
- Bitfolk LTD (for 125 months)
- Megaspace Internet Services GmbH (for 125 months)
- Greenbone AG (for 124 months)
- NUMLOG (for 124 months)
- WinGo AG (for 123 months)
- Entr’ouvert (for 115 months)
- Adfinis AG (for 112 months)
- Laboratoire LEGI - UMR 5519 / CNRS (for 107 months)
- Tesorion (for 107 months)
- Bearstech (for 98 months)
- LiHAS (for 98 months)
- Catalyst IT Ltd (for 93 months)
- Supagro (for 88 months)
- Demarcq SAS (for 87 months)
- Université Grenoble Alpes (for 73 months)
- TouchWeb SAS (for 65 months)
- SPiN AG (for 62 months)
- CoreFiling (for 58 months)
- Institut des sciences cognitives Marc Jeannerod (for 53 months)
- Observatoire des Sciences de l’Univers de Grenoble (for 49 months)
- Tem Innovations GmbH (for 44 months)
- WordFinder.pro (for 44 months)
- CNRS DT INSU Résif (for 42 months)
- Soliton Systems K.K. (for 38 months)
- Alter Way (for 35 months)
- Institut Camille Jordan (for 25 months)
- SOBIS Software GmbH (for 10 months)
- Tuxera Inc.

ELA-1420-1 redis security update (by )

Mon, 12 May 2025 16:24:47 +0300

Package : redis

Version : 2:2.8.17-1+deb8u15 (jessie), 3:3.2.6-3+deb9u15 (stretch), 5:5.0.14-1+deb10u8 (buster)

Related CVEs : CVE-2025-21605

Unlimited output buffer for unauthenticated clients has been fixed in the key–value database Redis.

Debian Contributions: DebConf 25 preparations, PyPA tools updates, Removing libcrypt-dev from build-essential and more! (by Anupa Ann Joseph)

Anupa Ann Joseph — Mon, 12 May 2025 00:00:00 +0000

Debian Contributions: 2025-04

DebConf 25 Preparations, by Stefano Rivera and Santiago Ruano Rincón

DebConf 25 preparations continue. In April, the bursary team reviewed and ranked bursary applications. Santiago Ruano Rincón examined the current state of the conference’s finances, to see if we could allocate any more money to bursaries. Stefano Rivera supported the bursary team’s work with infrastructure and advice and added some metrics to assist Santiago’s budget review. Santiago was also involved in different parts of the organization, including Content team matters, as reviewing the first of proposals, preparing public information about the new Academic Track; or coordinating different aspects of the Day trip activities and the Conference Dinner.

PyPA tools updates, by Stefano Rivera

Around the beginning of the freeze (in retrospect, definitely too late) Stefano looked at updating setuptools in the archive to 78.1.0. This brings support for more comprehensive license expressions (PEP-639), that people are expected to adopt soon upstream. While the reverse-autopkgtests all passed, it all came with some unexpected complications, and turned into a mini-transition. The new setuptools broke shebangs for scripts (pypa/setuptools#4952).

It also required a bump of wheel to 0.46 and wheel 0.46 now has a dependency outside the standard library (it de-vendored packaging). This meant it was no longer suitable to distribute a standalone wheel.whl file to seed into new virtualenvs, as virtualenv does by default. The good news here is that setuptools doesn’t need wheel any more, it included its own implementation of the bdist_wheel command, in 70.1. But the world hadn’t adapted to take advantage of this, yet. Stefano scrambled to get all of these issues resolved upstream and in Debian:

pip: Don’t check for wheel when invoked with --no-use-pep517 (pypa/pip#13330), automatically do --no-use-pep517 builds without wheel (pypa/pip#13358, rejected).
virtualenv: Don’t include wheel (pypa/virtualenv#2868) except on Python 3.8 (pypa/virtualenv#2876) as pip dropped Python 3.8 support in the same release that included #13330.
python3.13: Update bundled setuptools in test.wheeldata (python/cpython#132415).
python-cffi: No need to install wheel any more (python-cffi/cffi#165).

We’re now at the point where python3-wheel-whl is no longer needed in Debian unstable, and it should migrate to trixie.

Removing `libcrypt-dev` from `build-essential`, by Helmut Grohne

The crypt function was originally part of glibc, but it got separated to libxcrypt. As a result, libc6-dev now depends on libcrypt-dev. This poses a cycle during architecture cross bootstrap. As the number of packages actually using crypt is relatively small, Helmut proposed removing the dependency. He analyzed an archive rebuild kindly performed by Santiago Vila (not affiliated with Freexian) and estimated the necessary changes. It looks like we may complete this with modifications to less than 300 source packages in the forky cycle. Half of the bugs have been filed at this time. They are tracked with libcrypt-* usertags.

Miscellaneous contributions

Carles uploaded a new version of simplemonitor.
Carles improved the documentation of salsa-ci-team/pipeline regarding piuparts arguments.
Carles closed an FTBFS on gcc-15 on qnetload.
Carles worked on Catalan translations using po-debconf-manager: reviewed 57 translations and created their merge requests in salsa, created 59 bug reports for packages that didn’t merge in more than 30 days. Followed-up merge requests and comments in bug reports. Managed some translations manually for packages that are not in Salsa.
Lucas did some work on the DebConf Content and Bursary teams.
Lucas fixed multiple CVEs and bugs involving the upgrade from bookworm to trixie in ruby3.3.
Lucas fixed a CVE in valkey in unstable.
Stefano updated beautifulsoup4, python-authlib, python-html2text, python-packaging, python-pip, python-soupsieve, and unidecode.
Stefano packaged python-dependency-groups, a new vendored library in python-pip.
During an afternoon Bug Squashing Party in Montevideo, Santiago uploaded a couple of packages fixing RC bugs #1057226 and #1102487. The latter was a sponsored upload.
Thorsten uploaded new upstream versions of brlaser, ptouch-driver and sane-airscan to get the latest upstream bug fixes into Trixie.
Raphaël filed an upstream bug on zim for a graphical glitch that he has been experiencing.
Colin Watson upgraded openssh to 10.0p1 (also known as 10.0p2), and debugged various follow-up bugs. This included adding riscv64 support to vmdb2 in passing, and enabling native wtmpdb support so that wtmpdb last now reports the correct tty for SSH connections.
Colin fixed dput-ng’s –override option, which had never previously worked.
Colin fixed a security bug in debmirror.
Colin did his usual routine work on the Python team: 21 packages upgraded to new upstream versions, 8 CVEs fixed, and about 25 release-critical bugs fixed.
Helmut filed patches for 21 cross build failures.
Helmut uploaded a new version of debvm featuring a new tool debefivm-create to generate EFI-bootable disk images compatible with other tools such as libvirt or VirtualBox. Much of the work was prototyped in earlier months. This generalizes mmdebstrap-autopkgtest-build-qemu.
Helmut continued reporting undeclared file conflicts and suggested package removals from unstable.
Helmut proposed build profiles for libftdi1 and gnupg2. To deal with recently added dependencies in the architecture cross bootstrap package set.
Helmut managed the /usr-move transition. He worked on ensuring that systemd would comply with Debian’s policy. Dumat continues to locate problems here and there yielding discussion occasionally. He sent a patch for an upgrade problem in zutils.
Anupa worked with the Debian publicity team to publish Micronews and Bits posts.
Anupa worked with the DebConf 25 content team to review talk and event proposals for DebConf 25.

ELA-1419-1 wpa security update (by )

Sun, 11 May 2025 11:25:24 +0200

Package : wpa

Version : 2:2.9.0-21+deb11u3~deb10u1 (buster)

Multiple vulnerabilities were found in wpa, a set of tools including the widely-used wpasupplicant client for authenticating with WPA and WPA2 wireless networks.

CVE-2022-23303

The implementations of SAE in hostapd
are vulnerable to side channel attacks as a result of
cache access patterns.

CVE-2022-23304

The implementations of EAP-pwd are vulnerable
to side-channel attacks as a result of cache access patterns.

CVE-2022-37660

The PKEX code remains active even after
a successful PKEX association. An attacker that successfully
bootstrapped public keys with another entity using PKEX in
the past, will be able to subvert a future bootstrapping
by passively observing public keys.

ELA-1418-1 request-tracker4 security update (by )

Thu, 08 May 2025 12:59:14 -0300

Package : request-tracker4

Version : 4.4.3-2+deb10u4 (buster)

Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system, which could result in information disclosure, cross-site scripting and use of weak encryption for S/MIME emails.

Debusine (by )

Wed, 07 May 2025 11:07:07 +0200

What is Debusine?

Debusine is a modern cloud-powered continuous integration platform to run many packaging and distribution related workflows for the Debian ecosystem. It can be used to automate everything from the package build up to the generation of installer/disk/cloud/container images, including all the intermediary QA checks. It is very versatile and easy to extend to cater to custom requirements.

It was built by Freexian to modernize Debian’s infrastructure, with initial support from the German government (through the Sovereign Tech Agency). The people behind this development have a track record of building lasting infrastructure like Ubuntu’s Launchpad or Debian’s Package Tracker.

Freexian is developing Debusine in the open and licensing it under the terms of the GPLv3. While it is and will continue to be possible for anyone to run Debusine on their own infrastructure without any licensing costs, Freexian also offers it as a SaaS product on debusine.freexian.com. This supports continued development of the software by the Debian developers that created it, and frees users from the complex system administration work involved in running a fleet of workers covering multiple architectures.

How can Debusine help you?

As a Debian system administrator

Set up a validation workflow between vendor-provided updates and deployment onto your production servers.
Maintain production-level Debian packages with custom patches tailored to your specific needs. Benefits from automated builds out of git repositories and notifications when an update needs to be made. Ensure your changes do not break anything with automated tests that are also run on reverse dependencies.
Create custom cloud/container images and installation media for automated deployments.

As a Debian derivative

Avoid the hassle of setting up and maintaining all the servers to build packages, images, to host the package repository, etc.
Forget about your nightmarish CI configuration files to automate your Debian packaging workflow across your target platform matrix.
Improve your development workflows to detect problems before they reach the package repository and users.
Add support for arm64/armhf/armel architectures.
Implement UEFI Secure Boot to protect your users.
And much more… Debusine is really built for you!

As a software vendor

Provide first-class Debian packages of your software for all Debian/Ubuntu releases (and even more Debian derivatives if you wish).
Automatically test your custom Debian package in a large set of Debian/Ubuntu releases.
Extend your QA tests to also run on non-x86 architectures like arm64, armhf or armel.
Build your entire CI/CD pipeline with Debusine. Automatically build each component out of git, upload the results in staging repositories, validate the behaviour of the resulting combination of packages, and release to users.

How can we work together?

Debusine is very modular: it has many building blocks that can be combined to achieve various workflows. It is thus powerful but requires some non-trivial integration work that is currently out of reach for a self-serve service.

Freexian has a team of world-class experts in packaging & CI/CD workflows, reach out to us at sales@freexian.com for a free consultation and we can make a custom offer to set up a space for your organization on debusine.freexian.com that would accommodate your organization's needs.

If that process identifies needs that can’t be met by Debusine, we can make an offer to develop the required features. We welcome such custom development projects, because that’s how free software evolves to satisfy the requirements of an ever growing audience of users.

Learn more about Debusine

ELA-1417-1 golang-glog security update (by )

Mon, 05 May 2025 15:32:49 +0200

Package : golang-glog

Version : 0.0~git20160126.23def4e-3+deb10u1 (buster)

Related CVEs : CVE-2024-45339

When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process’s log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists.

The following Go packages have been rebuilt in order to fix this issue:

golang-grpc-gateway 1.6.4-2+deb10u1
mtail 3.0.0~rc19-2+deb10u1
prometheus-mongodb-exporter 1.0.0+git20180522.e755a44-1+deb10u1

ELA-1416-1 libuv1 security update (by )

Sun, 04 May 2025 19:08:25 +0200

Package : libuv1

Version : 1.24.1-1+deb10u3 (buster)

Related CVEs : CVE-2020-8252

realpath in libuv incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.

ELA-1415-1 nodejs security update (by )

Sun, 04 May 2025 00:41:56 +0200

Package : nodejs

Version : 10.24.0~dfsg-1~deb10u6 (buster)

Related CVEs : CVE-2025-47153

Node.js a popular server side javascript engine was affected by a vulnerability on 32bits architecture.

Build processes for libuv and Node.js for 32-bit systems, have an inconsistent off_t size (e.g., building on i386 Debian always uses _FILE_OFFSET_BITS=64 for the libuv dynamic library, but uses the _FILE_OFFSET_BITS global system default of 32 for nodejs), leading to out-of-bounds access.

Following reverse dependencies were also rebuilt in order to fix the vulnerability:

node-expat
node-iconv
node-leveldown
node-mapnik
node-modern-syslog
node-nodedbi
node-opencv
node-sqlite3
node-srs
node-stringprep
node-websocket
node-ws
node-zipfile
r-cran-v8

ELA-1414-1 postgresql-9.6 security update (by )

Fri, 02 May 2025 08:58:28 +0200

Package : postgresql-9.6

Version : 9.6.24-0+deb9u9 (stretch)

Related CVEs : CVE-2025-1094

PostgreSQL, a popular database, was affected by a vulnerability.

Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns.

ELA-1413-1 mysql-connector-python security update (by )

Fri, 02 May 2025 00:00:08 +0200

Package : mysql-connector-python

Version : 2.1.6-1+deb9u1 (stretch)

Multiple vulnerabilities have been discovered in mysql-connector-python, a Python implementation of the MySQL client/server protocol.

CVE-2019-2435

A vulnerability to man-in-the-middle attacks was discovered in the pure
Python implementation. MySQL clients connecting using TLS have not been
verifying the server name against the server certificate's common
name (CN) and subject alternative names (SANs).

CVE-2024-21272

Malicious strings can be injected when utilizing dictionary-based query
parameterization via the `cursor.execute()` API command and the C-based
implementation of the connector.

CVE-2025-21548

A possible RCE has been detected involving the MySQL Connector/Python
configuration files.

ELA-1412-1 libxml2 security update (by )

Wed, 30 Apr 2025 18:20:15 +0200

Package : libxml2

Version : 2.9.1+dfsg1-5+deb8u19 (jessie), 2.9.4+dfsg1-2.2+deb9u13 (stretch), 2.9.4+dfsg1-7+deb10u11 (buster)

Related CVEs : CVE-2025-32414 CVE-2025-32415

Two issues have been found in libxml2, the GNOME XML library. They are related to an out-of-bounds memory access in the Python API and a heap-buffer-overflow in xmlSchemaIDCFillNodeTables().

ELA-1411-1 expat security update (by )

Wed, 30 Apr 2025 18:10:01 +0200

Package : expat

Version : 2.2.0-2+deb9u10 (stretch), 2.2.6-2+deb10u9 (buster)

Related CVEs : CVE-2024-50602

An issue has been found in expat, an XML parsing C library. The issue is related to a crash within XML_ResumeParser() because XML_StopParser() can stop/suspend an unstarted parser.

Freexian partners with Invisible Things Lab to extend security support for Xen hypervisor (by )

Tue, 29 Apr 2025 00:00:00 +0000

Freexian is pleased to announce a partnership with Invisible Things Lab to extend the security support of the Xen type-1 hypervisor version 4.17. Three years after its initial release, Xen 4.17, the version available in Debian 12 “bookworm”, will reach end-of-security-support status upstream on December 2025. The aim of our partnership with Invisible Things is to extend the security support until, at least, July 2027. We may also explore a possibility of extending the support until June 2028, to coincide with the end of Debian 12 LTS support-period.

The security support of Xen in Debian, since Debian 8 “jessie” until Debian 11 “bullseye”, reached its end before the end of the life cycle of the release. We aim then to significantly improve the situation of Xen in Debian 12. As with similar efforts, we would like to mention that this is an experiment and that we will do our best to make it a success. We are aiming to try and to extend the security support for Xen versions included in future Debian releases, including Debian 13 “trixie”.

In the long term, we hope that this effort will ultimately allow the Xen Project to increase the official security support period for Xen releases from the current three years to at least five years, with the extra work being funded by the community of companies benefiting from the longer support period.

If your company relies on Xen and wants to help sustain LTS versions of Xen, please reach out to us. For companies using Debian, the simplest way is to subscribe to Freexian’s Debian LTS offer at a gold level (or above) and let us know that you want to contribute to Xen LTS when you send in your subscription form. For others, please reach out to us at sales@freexian.com and we will figure out a way to help you contribute.

In the mean time, this initiative has been made possible thanks to the current LTS sponsors and ELTS customers. We hope the entire community of Debian and Xen users will benefit from this initiative.

For any queries you might have, please don’t hesitate to contact us at sales@freexian.com.

About Invisible Things Lab

Invisible Things Lab (ITL) offers low-level security consulting auditing services for x86 virtualization technologies; C, C++, and assembly codebases; Intel SGX; binary exploitation and mitigations; and more. ITL also specializes in Qubes OS and Gramine consulting, including deployment, debugging, and feature development.

Monthly report about Debian Long Term Support, March 2025 (by Roberto C. Sánchez)

Roberto C. Sánchez — Mon, 28 Apr 2025 00:00:00 +0000

Like each month, have a look at the work funded by Freexian’s Debian LTS offering.

Debian LTS contributors

In March, 20 contributors have been paid to work on Debian LTS, their reports are available:

Adrian Bunk did 51.5h (out of 0.0h assigned and 51.5h from previous period).
Andreas Henriksson did 20.0h (out of 20.0h assigned).
Andrej Shadura did 6.0h (out of 10.0h assigned), thus carrying over 4.0h to the next month.
Bastien Roucariès did 20.0h (out of 20.0h assigned).
Ben Hutchings did 12.0h (out of 12.0h assigned and 12.0h from previous period), thus carrying over 12.0h to the next month.
Chris Lamb did 18.0h (out of 18.0h assigned).
Daniel Leidert did 26.0h (out of 23.0h assigned and 3.0h from previous period).
Emilio Pozuelo Monfort did 37.0h (out of 36.5h assigned and 0.75h from previous period), thus carrying over 0.25h to the next month.
Guilhem Moulin did 8.25h (out of 11.0h assigned and 9.0h from previous period), thus carrying over 11.75h to the next month.
Jochen Sprickerhof did 18.0h (out of 24.25h assigned and 3.0h from previous period), thus carrying over 9.25h to the next month.
Lee Garrett did 10.25h (out of 0.0h assigned and 42.0h from previous period), thus carrying over 31.75h to the next month.
Lucas Kanashiro did 4.0h (out of 0.0h assigned and 56.0h from previous period), thus carrying over 52.0h to the next month.
Markus Koschany did 27.25h (out of 27.25h assigned).
Roberto C. Sánchez did 8.25h (out of 7.0h assigned and 17.0h from previous period), thus carrying over 15.75h to the next month.
Santiago Ruano Rincón did 17.5h (out of 19.75h assigned and 5.25h from previous period), thus carrying over 7.5h to the next month.
Sean Whitton did 7.0h (out of 7.0h assigned).
Sylvain Beucler did 32.0h (out of 31.0h assigned and 1.25h from previous period), thus carrying over 0.25h to the next month.
Thorsten Alteholz did 11.0h (out of 11.0h assigned).
Tobias Frost did 7.75h (out of 12.0h assigned), thus carrying over 4.25h to the next month.
Utkarsh Gupta did 15.0h (out of 15.0h assigned).

Evolution of the situation

In March, we have released 31 DLAs.

Notable security updates:
- linux-6.1 (1 2)and linux, prepared by Ben Hutchings, fixed an extensive list of vulnerabilities
- firefox-esr, prepared by Emilio Pozuelo Monfort, fixed a variety of vulnerabilities
- intel-microcode, prepared by Tobias Frost, fixed several local privilege escalation, denial of service, and information disclosure vulnerabilities
- vim, prepared by Sean Whitton, fixed a multitude of vulnerabilities, including many application crashes, buffer overflows, and out-of-bounds reads

The recent trend of contributions from contributors external to the formal LTS team has continued. LTS contributor Sylvain Beucler reviewed and facilitated an update to openvpn proposed by Aquila Macedo, resulting in the publication of DLA 4079-1. Thanks a lot to Aquila for preparing the update.

The LTS Team continues to make contributions to the current stable Debian release, Debian 12 (codename “bookworm”). LTS contributor Bastien Roucariès prepared a stable upload of krb5 to ensure that fixes made in the LTS release, Debian 11 (codename “bullseye”) were also made available to stable users. Additional stable updates, for tomcat10 and jetty9, were prepared by LTS contributor Markus Koschany. And, finally, LTS contributor Utkarsh Gupta prepared stable updates for rails and ruby-rack.

LTS contributor Emilio Pozuelo Monfort has continued his ongoing improvements to the Debian security tracker and its associated tooling, making the data contained in the tracker more reliable and easing interaction with it.

The ckeditor3 package, which has been EOL by upstream for some time, is still depended upon by the PHP Horde packages in Debian. Sylvain, along with Bastien, did monumental work in coordinating with maintainers, security team fellows, and other Debian teams, to formally declare the EOL of the ckeditor3 package in Debian 11 and in Debian 12. Additionally, as a result of this work Sylvain has worked towards the removal of ckeditor3 as a dependency by other packages in order to facilitate the complete removal of ckeditor3 from all future Debian releases.

Thanks to our sponsors

Sponsors that joined recently are in bold.

Platinum sponsors:
- Toshiba Corporation (for 114 months)
- Civil Infrastructure Platform (CIP) (for 82 months)
- VyOS Inc (for 47 months)
Gold sponsors:
- Roche Diagnostics International AG (for 125 months)
- Akamai - Linode (for 119 months)
- Babiel GmbH (for 108 months)
- Plat’Home (for 108 months)
- University of Oxford (for 65 months)
- Deveryware (for 52 months)
- EDF SA (for 36 months)
- Dataport AöR (for 12 months)
- CERN (for 9 months)
Silver sponsors:
- Domeneshop AS (for 129 months)
- Nantes Métropole (for 123 months)
- Univention GmbH (for 115 months)
- Université Jean Monnet de St Etienne (for 115 months)
- Ribbon Communications, Inc. (for 109 months)
- Exonet B.V. (for 99 months)
- Leibniz Rechenzentrum (for 93 months)
- Ministère de l’Europe et des Affaires Étrangères (for 77 months)
- Cloudways by DigitalOcean (for 66 months)
- Dinahosting SL (for 64 months)
- Bauer Xcel Media Deutschland KG (for 59 months)
- Platform.sh SAS (for 59 months)
- Moxa Inc. (for 53 months)
- sipgate GmbH (for 50 months)
- OVH US LLC (for 48 months)
- Tilburg University (for 48 months)
- GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 40 months)
- Soliton Systems K.K. (for 37 months)
- THINline s.r.o. (for 13 months)
- Copenhagen Airports A/S (for 6 months)
Bronze sponsors:
- Evolix (for 130 months)
- Seznam.cz, a.s. (for 130 months)
- Linuxhotel GmbH (for 127 months)
- Intevation GmbH (for 126 months)
- Daevel SARL (for 125 months)
- Bitfolk LTD (for 124 months)
- Megaspace Internet Services GmbH (for 124 months)
- Greenbone AG (for 123 months)
- NUMLOG (for 123 months)
- WinGo AG (for 123 months)
- Entr’ouvert (for 114 months)
- Adfinis AG (for 112 months)
- Laboratoire LEGI - UMR 5519 / CNRS (for 106 months)
- Tesorion (for 106 months)
- Bearstech (for 98 months)
- LiHAS (for 98 months)
- Catalyst IT Ltd (for 92 months)
- Supagro (for 88 months)
- Demarcq SAS (for 86 months)
- Université Grenoble Alpes (for 72 months)
- TouchWeb SAS (for 65 months)
- SPiN AG (for 61 months)
- CoreFiling (for 57 months)
- Institut des sciences cognitives Marc Jeannerod (for 52 months)
- Observatoire des Sciences de l’Univers de Grenoble (for 49 months)
- Tem Innovations GmbH (for 44 months)
- WordFinder.pro (for 43 months)
- CNRS DT INSU Résif (for 42 months)
- Alter Way (for 35 months)
- Institut Camille Jordan (for 25 months)
- SOBIS Software GmbH (for 9 months)
- Tuxera Inc.

ELA-1410-1 python3.7 security update (by )

Sun, 27 Apr 2025 14:13:57 +0300

Package : python3.7

Version : 3.7.3-2+deb10u10 (buster)

Related CVEs : CVE-2025-1795

List separators in email headers were wrongly Unicode-encoded in email headers in the Python3 interpreter.

ELA-1409-1 zabbix security update (by )

Sun, 27 Apr 2025 09:53:46 +0200

Package : zabbix

Version : 1:2.2.23+dfsg-0+deb8u10 (jessie), 1:4.0.4+dfsg-1+deb10u6 (buster)

Several security vulnerabilities have been discovered in zabbix, a network monitoring solution, potentially among other effects allowing XSS, Code Execution, information disclosure, remote code execution, impersonation or session hijacking.

Most of the CVEs are targeting the buster update, the CVE targeting jessie is marked accordingly.

CVE-2024-22114

A user with no permission to any of the Hosts can access and view host
count & other statistics through System Information Widget in Global
View Dashboard.

CVE-2024-22116

An administrator with restricted permissions can exploit the script
execution functionality within the Monitoring Hosts section. The lack of
default escaping for script parameters enabled this user ability to
execute arbitrary code via the Ping script, thereby compromising
infrastructure.

CVE-2024-22117

When a URL is added to the map element, it is recorded in the database
with sequential IDs. Upon adding a new URL, the system retrieves the
last sysmapelementurlid value and increments it by one. However, an
issue arises when a user manually changes the sysmapelementurlid value
by adding sysmapelementurlid + 1. This action prevents others from
adding URLs to the map element.

CVE-2024-22122

Zabbix allows to configure SMS notifications. AT command injection
occurs on "Zabbix Server" because there is no validation of "Number"
field on Web nor on Zabbix server side. Attacker can run test of SMS
providing specially crafted phone number and execute additional AT
commands on the modem.

CVE-2024-22123

Setting SMS media allows to set GSM modem file. Later this file is used
as Linux device. But due everything is a file for Linux, it is possible
to set another file, e.g. log file and zabbix_server will try to
communicate with it as modem. As a result, log file will be broken with
AT commands and small part for log file content will be leaked to UI.

CVE-2024-36464

When exporting media types, the password is exported in the YAML in
plain text. This appears to be a best practices type issue and may
have no actual impact. The user would need to have permissions to
access the media types and therefore would be expected to have
access to these passwords.

CVE-2024-36467

An authenticated user with API access (e.g.: user with default User
role), more specifically a user with access to the user.update API
endpoint is enough to be able to add themselves to any group
(e.g.: Zabbix Administrators), except to groups that are disabled
or having restricted GUI access.

CVE-2024-36469

Execution time for an unsuccessful login differs when using a
non-existing username compared to using an existing one.

CVE-2024-42325 (jessie and buster)

Zabbix API user.get returns all users that share common group with the
calling user. This includes media and other information, such as login
attempts, etc.

CVE-2024-42332

The researcher is showing that due to the way the SNMP trap log is
parsed, an attacker can craft an SNMP trap with additional lines of
information and have forged data show in the Zabbix UI. This attack
requires SNMP auth to be off and/or the attacker to know the
community/auth details. The attack requires an SNMP item to be
configured as text on the target host.

CVE-2024-42333

The researcher is showing that it is possible to leak a small amount
of Zabbix Server memory using an out of bounds read in
src/libs/zbxmedia/email.c

CVE-2024-45700

Zabbix server is vulnerable to a DoS vulnerability due to uncontrolled
resource exhaustion. An attacker can send specially crafted requests to
the server, which will cause the server to allocate an excessive amount
of memory and perform CPU-intensive decompression operations, ultimately
leading to a service crash.

ELA-1408-1 curl security update (by )

Sat, 26 Apr 2025 23:49:19 -0300

Package : curl

Version : 7.52.1-5+deb9u23 (stretch), 7.64.0-4+deb10u11 (buster)

Related CVEs : CVE-2024-2398 CVE-2024-8096

Two security issues were found in Curl, an easy-to-use client-side URL transfer library and command line tool:

CVE-2024-2398

When an application tells libcurl it wants to allow HTTP/2 server push, and
the amount of received headers for the push surpasses the maximum allowed
limit (1000), libcurl aborts the server push. When aborting, libcurl
inadvertently does not free all the previously allocated headers and
instead leaks the memory.

Further, this error condition fails silently and is therefore not easily
detected by an application.

CVE-2024-8096

When curl is told to use the Certificate Status Request TLS extension,
often referred to as OCSP stapling, to verify that the server certificate
is valid, it might fail to detect some OCSP problems and instead wrongly
consider the response as fine.

If the returned status reports another error than "revoked" (like for
example "unauthorized") it is not treated as a bad certificate.

ELA-1407-1 imagemagick security update (by )

Sat, 26 Apr 2025 23:56:09 +0300

Package : imagemagick

Version : 8:6.8.9.9-5+deb8u28 (jessie), 8:6.9.7.4+dfsg-11+deb9u21 (stretch), 8:6.9.10.23+dfsg-2.1+deb10u10 (buster)

Related CVEs : CVE-2025-43965

Mishandling of MIFF image depth after SetQuantumFormat() has been fixed in ImageMagick, a software suite for editing and manipulating digital images.

ELA-1406-1 distro-info-data database update (by )

Sat, 26 Apr 2025 09:42:26 -0400

Package : distro-info-data

Version : 0.36~bpo8+7 (jessie), 0.41+deb10u2~bpo9+7 (stretch), 0.41+deb10u11 (buster)

This is a routine update of the distro-info-data database for Debian ELTS users.

It adds Ubuntu 25.10 “Questing Quokka” and Debian 15 “Duke”.

ELA-1405-1 erlang security update (by )

Wed, 23 Apr 2025 19:56:35 +0200

Package : erlang

Version : 19.2.1+dfsg-2+really23.3.4.18-0+deb9u4 (stretch), 1:22.2.7+dfsg-1+deb10u3 (buster)

Related CVEs : CVE-2025-32433

A remote code execution vulnerability was discovered in the Erlang/OTP implementation of the SSH protocol.

CVE-2025-32433

A SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials.

ELA-1404-1 hiredis security update (by )

Wed, 23 Apr 2025 20:42:19 +0300

Package : hiredis

Version : 0.13.3-2+deb9u1 (stretch), 0.14.0-3+deb10u1 (buster)

Related CVEs : CVE-2020-7105

NULL pointer dereferences due to unchecked return values of allocation functions have been fixed in hiredis, a C client library for the Redis key-value database.

ELA-1403-1 libsndfile security update (by )

Wed, 23 Apr 2025 13:26:54 +0200

Package : libsndfile

Version : 1.0.25-9.1+deb8u8 (jessie), 1.0.27-3+deb9u4 (stretch), 1.0.28-6+deb10u3 (buster)

Related CVEs : CVE-2022-33065 CVE-2024-50612

Several security vulnerabilities have been found in libsndfile, a library for reading/writing audio files.

CVE-2022-33065

Multiple signed integers overflow in function au_read_header in src/au.c
and in functions mat4_open and mat4_read_header in src/mat4.c in
Libsndfile, allows an attacker to cause Denial of Service or other
unspecified impacts.

CVE-2024-50612

libsndfile through 1.2.2 has an ogg_vorbis.c vorbis_analysis_wrote
out-of-bounds read.

ELA-1402-1 libxstream-java security update (by )

Tue, 22 Apr 2025 22:08:48 +0200

Package : libxstream-java

Version : 1.4.11.1-1+deb8u7 (jessie), 1.4.11.1-1+deb10u5 (buster)

Related CVEs : CVE-2024-47072

XStream is a Java library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream has been patched to detect the manipulation in the binary input stream causing the stack overflow and raises an InputManipulationException instead.

ELA-1401-1 transfig security update (by )

Mon, 21 Apr 2025 14:32:05 +0300

Package : transfig

Version : 1:3.2.6a-2~deb8u2 (jessie)

Multiple vulnerabilities have been fixed in the transfig utilities for converting XFig figure files.

CVE-2025-31162

floating point exception with huge pattern lengths

CVE-2025-31163

non-rejection of arcs with co-incident points

CVE-2025-31164

heap buffer overflow on arc-box with zero radius

ELA-1400-1 fig2dev security update (by )

Mon, 21 Apr 2025 14:30:48 +0300

Package : fig2dev

Version : 1:3.2.6a-2+deb9u5 (stretch), 1:3.2.7a-5+deb10u6 (buster)

Multiple vulnerabilities have been fixed in the fig2dev utilities for converting XFig figure files.

CVE-2025-31162

floating point exception with huge pattern lengths

CVE-2025-31163

non-rejection of arcs with co-incident points

CVE-2025-31164

heap buffer overflow on arc-box with zero radius

ELA-1399-1 wget security update (by )

Mon, 21 Apr 2025 11:22:08 +0300

Package : wget

Version : 1.16-1+deb8u8 (jessie), 1.18-5+deb9u4 (stretch), 1.20.1-1.1+deb10u1 (buster)

Related CVEs : CVE-2024-38428

Mishandling of semicolons in the userinfo subcomponent of a URI has been fixed in GNU Wget, a utility for retrieving files over HTTP, HTTPS, FTP and FTPS.

ELA-1398-1 postgresql-11 security update (by )

Fri, 18 Apr 2025 22:24:03 +0200

Package : postgresql-11

Version : 11.22-0+deb10u5 (buster)

Related CVEs : CVE-2025-1094

PostgreSQL, a popular database, was affected by a vulnerability.

ELA-1397-1 libmodbus security update (by )

Thu, 17 Apr 2025 14:33:54 +0200

Package : libmodbus

Version : 3.0.6-1+deb8u2 (jessie), 3.0.6-2+deb9u2 (stretch), 3.1.4-2+deb10u3 (buster)

Related CVEs : CVE-2024-10918

Stack-based Buffer Overflow vulnerability in libmodbus v3.1.10 allows to overflow the buffer allocated for the Modbus response the function tries to reply to a Modbus request with an unexpect length.

ELA-1396-1 jinja2 security update (by )

Wed, 16 Apr 2025 22:27:03 -0300

Package : jinja2

Version : 2.7.3-1+deb8u2 (jessie), 2.8-1+deb9u2 (stretch), 2.10-2+deb10u2 (buster)

Related CVEs : CVE-2024-56326 CVE-2025-27516

A couple of vulnerabilities were found in jinja2, a template engine. The rendering of untrusted templates could lead to attackers executing arbitrary Python code.

CVE-2024-56326

Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects
calls to str.format allows an attacker that controls the content of a
template to execute arbitrary Python code. To exploit the vulnerability, an
attacker needs to control the content of a template. Whether that is the
case depends on the type of application using Jinja. This vulnerability
impacts users of applications which execute untrusted templates. Jinja's
sandbox does catch calls to str.format and ensures they don't escape the
sandbox. However, it's possible to store a reference to a malicious string's
format method, then pass that to a filter that calls it. No such filters are
built-in to Jinja, but could be present through custom filters in an
application. After the fix, such indirect calls are also handled by the
sandbox.

CVE-2025-27516

Prior to 3.1.6, an oversight in how the Jinja sandboxed environment
interacts with the |attr filter allows an attacker that controls the
content of a template to execute arbitrary Python code. To exploit the
vulnerability, an attacker needs to control the content of a template.
Whether that is the case depends on the type of application using Jinja.
This vulnerability impacts users of applications which execute untrusted
templates. Jinja's sandbox does catch calls to str.format and ensures they
don't escape the sandbox. However, it's possible to use the |attr filter to
get a reference to a string's plain format method, bypassing the sandbox.
After the fix, the |attr filter no longer bypasses the environment's
attribute lookup.

ELA-1395-1 shadow security update (by )

Tue, 15 Apr 2025 18:55:41 +0200

Package : shadow

Version : 1:4.2-3+deb8u6 (jessie)

Related CVEs : CVE-2023-4641 CVE-2023-29383

Several vulnerabilities were discovered in the shadow suite of login tools. An attacker may extract a password from memory in limited situations, and confuse an administrator inspecting /etc/passwd from within a terminal.

CVE-2023-4641

When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory.
CVE-2023-29383

It is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed.

ELA-1393-1 opensaml security update (by )

Tue, 15 Apr 2025 16:38:35 +0200

Package : opensaml

Version : 3.0.1-1+deb10u1 (buster)

Related CVEs : CVE-2025-31335

Alexander Tan discovered that the OpenSAML C++ library was susceptible to forging of signed SAML messages. For additional details please refer to the upstream advisory at https://shibboleth.net/community/advisories/secadv_20250313.txt

For Debian 8 (jessie) and 9 (stretch), see separate ELA-1394-1 for opensaml2.

ELA-1394-1 opensaml2 security update (by )

Tue, 15 Apr 2025 16:38:08 +0200

Package : opensaml2

Version : 2.5.3-2+deb8u3 (jessie), 2.6.0-4+deb9u2 (stretch)

Related CVEs : CVE-2025-31335

For Debian 10 (buster), see separate ELA-1393-1 for opensaml.

ELA-1386-1 atop security update (by )

Mon, 14 Apr 2025 19:54:30 -0300

Package : atop

Version : 2.4.0-3+deb10u1 (buster)

Related CVEs : CVE-2025-31160

It was discovered that Atop, a monitor tool for system resources and process activity, always tried to connect to the port of atopgpud (an additional daemon gathering GPU statistics not shipped in Debian) while performing insufficient sanitising of the data read from this port.

With this update, additional validation is added and by default atop no longer tries to connect to the atopgpud daemon port unless explicitly enabled via -k.

ELA-1392-1 twitter-bootstrap4 security update (by )

Mon, 14 Apr 2025 22:51:03 +0200

Package : twitter-bootstrap4

Version : 4.3.1+dfsg2-1+deb10u1 (buster)

Related CVEs : CVE-2024-6531

Bootstrap (formerly Twitter Bootstrap), a free and open-source CSS framework, was affected by a XSS vulnerability in carousel component.

If you use bootstrap through a module bundler, you may need to rebuild your application.

ELA-1391-1 gimp security update (by )

Mon, 14 Apr 2025 13:36:02 +0300

Package : gimp

Version : 2.8.18-1+deb9u3 (stretch), 2.10.8-2+deb10u2 (buster)

Related CVEs : CVE-2025-2761

Out-of-bounds write in FLI (AutoDesk FLIC animation) file parsing has been fixed in GIMP, the GNU Image Manipulation Program.

ELA-1390-1 glib2.0 security update (by )

Mon, 14 Apr 2025 12:03:37 +0300

Package : glib2.0

Version : 2.58.3-2+deb10u8 (buster)

Related CVEs : CVE-2025-3360

Integer overflow in g_date_time_new_from_iso8601() has been fixed in the GNOME library glib2.0.

ELA-1389-1 twitter-bootstrap3 security update (by )

Sun, 13 Apr 2025 21:59:58 +0200

Package : twitter-bootstrap3

Version : 3.3.7+dfsg-2+deb9u3 (stretch), 3.4.1+dfsg-1+deb10u1 (buster)

Related CVEs : CVE-2024-6484 CVE-2024-6485

Bootstrap (formerly Twitter Bootstrap), a free and open-source CSS framework, was affected by multiple XSS vulnerabilities.

If you use bootstrap through a module bundler, you may need to rebuild your application.

ELA-1388-1 twitter-bootstrap3 security update (by )

Sun, 13 Apr 2025 19:19:34 +0200

Package : twitter-bootstrap3

Version : 3.3.7+dfsg-2+deb9u3~deb8u1 (jessie)

Bootstrap (formerly Twitter Bootstrap), a free and open-source CSS framework, was affected by multiple XSS vulnerabilities.

If you use bootstrap through a module bundler, you may need to rebuild your application.

ELA-1387-1 erlang security update (by )

Sun, 13 Apr 2025 10:07:58 +0200

Package : erlang

Version : 1:19.2.1+dfsg-2+really23.3.4.18-0+deb9u3 (stretch), 1:22.2.7+dfsg-1+deb10u2 (buster)

Multiple vulnerabilities were found in Erlang/OTP, a set of libraries for the Erlang programming language.

CVE-2023-48795

The SSH transport protocol, as implemented in Erlang, allows remote attackers to bypass integrity
checks such that some packets are omitted (from the extension negotiation message), and
a client and server may consequently end up with a connection for which some security features
have been downgraded or disabled, aka a Terrapin attack

CVE-2025-26618

Packet size is not verified properly for SFTP packets. As a result when multiple SSH packets
(conforming to max SSH packet size) are received by ssh, they might be combined into an
SFTP packet which will exceed the max allowed packet size and potentially cause
large amount of memory to be allocated (causing a Deny of Service).

CVE-2025-30211

A maliciously formed KEX (Key EXchange message for SSH protocol) init message can result
with high memory usage. Implementation does not verify RFC specified limits on algorithm names
(64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient
processing of the error data. As a result, large amount of memory will be allocated
for processing malicious data.

ELA-1385-1 php5 security update (by )

Thu, 10 Apr 2025 23:38:58 +0200

Package : php5

Version : 5.6.40+dfsg-0+deb8u23 (jessie)

CVE-2025-1217

Tim Düsterhus discovered that the header parser of the http stream wrapper does not handle folded headers and passes incorrect MIME types to an attached stream notifier.

CVE-2025-1219

Tim Düsterhus discovered that when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This allows an attacker to cause a document to be parsed incorrectly, changing its meaning and possibly bypassing validation.

CVE-2025-1734

It was discovered that the streams HTTP wrapper does not fail for headers with invalid name and no colon, thereby violating RFC-mandated behavior and potentially leading to request smuggling.

CVE-2025-1736

It was discovered that the stream HTTP wrapper header check might omit basic auth header in some cases, thereby stripping it.

CVE-2025-1861

It was discovered that the stream HTTP wrapper truncate redirect location to 1024 bytes, while the RFC-recommended length is 8000 and browsers usually limit to around 2048.

The URI truncation might result in omitting some critical information (e.g. from the query) or even redirection to other resources. It could even result in DOS of the remote site if the trucated URL results in error.

ELA-1384-1 php7.0 security update (by )

Thu, 10 Apr 2025 23:38:57 +0200

Package : php7.0

Version : 7.0.33-0+deb9u21 (stretch)

CVE-2025-1217

Tim Düsterhus discovered that the header parser of the http stream wrapper does not handle folded headers and passes incorrect MIME types to an attached stream notifier.

CVE-2025-1219

CVE-2025-1734

It was discovered that the streams HTTP wrapper does not fail for headers with invalid name and no colon, thereby violating RFC-mandated behavior and potentially leading to request smuggling.

CVE-2025-1736

It was discovered that the stream HTTP wrapper header check might omit basic auth header in some cases, thereby stripping it.

CVE-2025-1861

It was discovered that the stream HTTP wrapper truncate redirect location to 1024 bytes, while the RFC-recommended length is 8000 and browsers usually limit to around 2048.

GHSA-wg4p-4hqh-c3g9

An out of bound read was discovered in the XML parsing logic when XML_OPTION_SKIP_TAGSTART is set to a high value and the XML document has shorter tag names than expected. (No CVE was assigned for this vulnerability at the time of writing.)

ELA-1383-1 php7.3 security update (by )

Thu, 10 Apr 2025 23:38:56 +0200

Package : php7.3

Version : 7.3.31-1~deb10u10 (buster)

CVE-2025-1217

Tim Düsterhus discovered that the header parser of the http stream wrapper does not handle folded headers and passes incorrect MIME types to an attached stream notifier.

CVE-2025-1219

CVE-2025-1734

It was discovered that the streams HTTP wrapper does not fail for headers with invalid name and no colon, thereby violating RFC-mandated behavior and potentially leading to request smuggling.

CVE-2025-1736

It was discovered that the stream HTTP wrapper header check might omit basic auth header in some cases, thereby stripping it.

CVE-2025-1861

It was discovered that the stream HTTP wrapper truncate redirect location to 1024 bytes, while the RFC-recommended length is 8000 and browsers usually limit to around 2048.

GHSA-wg4p-4hqh-c3g9

ELA-1343-2 proftpd-dfsg regression update (by )

Wed, 09 Apr 2025 08:58:34 +0200

Package : proftpd-dfsg

Version : 1.3.5e+r1.3.5b-4+deb9u5 (stretch)

The update for proftpd-dfsg announced in ELA 1343-1 introduced a regression for Debian 9 “stretch”, making sftp public key authentification rejected by default. Updated packages are now available to fix this issue.

Debian Contributions: Preparations for Trixie, Updated debvm, DebConf 25 registration website updates and more! (by Anupa Ann Joseph)

Anupa Ann Joseph — Wed, 09 Apr 2025 00:00:00 +0000

Debian Contributions: 2025-03

Preparing for Trixie, by Raphaël Hertzog

As we are approaching the trixie freeze, it is customary for Debian developers to review their packages and clean them up in preparation for the next stable release.

That’s precisely what Raphaël did with publican, a package that had not seen any change since the last Debian release and that partially stopped working along the way due to a major Perl upgrade. While upstream’s activity is close to zero, hope is not yet entirely gone as the git repository moved to a new location a couple of months ago and contained the required fix. Raphaël also developed another fix to avoid an annoying warning that was seen at runtime.

Raphaël also ensured that the last upstream version of zim was uploaded to Debian unstable, and developed a fix for gnome-shell-extension-hamster to make it work with GNOME 48 and thus ensure that the package does not get removed from trixie.

Abseil and re2 transition in Debian, by Stefano Rivera

One of the last transitions to happen for trixie was an update to abseil, bringing it up to 202407. This library is a dependency for one of Freexian’s customers, as well as blocking newer versions of re2, a package maintained by Stefano.

The transition had been stalled for several months while some issues with reverse dependencies were investigated and dealt with. It took a final push to make the transition happen, including fixing a few newly discovered problems downstream. The abseil package’s autopkgtests were (trivially) broken by newer cmake versions, and some tests started failing on PPC64 (a known issue upstream).

`debvm` uploaded, by Helmut Grohne

debvm is a command line tool for quickly creating a Debian-based virtual machine for testing purposes. Over time, it accumulated quite a few minor issues as well as CI failures. The most notorious one was an ARM32 failure present since August. It was diagnosed down to a glibc bug by Tj and Chris Hofstaedtler and little has happened since then. To have debvm work somewhat, it now contains a workaround for this situation. Few changes are expected to be noticeable, but related tools such as apt, file, linux, passwd, and qemu required quite a few adaptations all over the place. Much of the necessary debugging was contributed by others.

DebConf 25 Registration website, by Stefano Rivera and Santiago Ruano Rincón

DebConf 25, the annual Debian developer conference, is now open for registration. Other than preparing the conference website, getting there always requires some last minute changes to the software behind the registration interface and this year was no exception. Every year, the conference is a little different to previous years, and has some different details that need to be captured from attendees. And every year we make minor incremental improvements to fix long-standing problems.

New concepts this year included: brunch, the closing talks on the departure day, venue security clearance, partial contributions towards food and accommodation bursaries, and attendee-selected bursary budgets.

Miscellaneous contributions

Helmut uploaded guess-concurrency incorporating feedback from others.
Helmut reacted to rebootstrap CI results and adapted it to cope with changes in unstable.
Helmut researched real world /usr-move fallout though little was actually attributable. He also NMUed systemd unsuccessfully.
Helmut sent 12 cross build patches.
Helmut looked into undeclared file conflicts in Debian more systematically and filed quite some bugs.
Helmut attended the cross/bootstrap sprint in Würzburg. A report of the event is pending.
Lucas worked on the CFP and tracks definition for DebConf 25.
Lucas worked on some bits involving Rails 7 transition.
Carles investigated why the job piuparts on salsa-ci/pipeline was passing but was failing on piuparts.debian.org for simplemonitor package. Created an issue and MR with a suggested fix, under discussion.
Carles improved the documentation of salsa-ci/pipeline: added documentation for different variables.
Carles made debian-history package reproducible (with help from Chris Lamb).
Carles updated simplemonitor package (new upstream version), prepared a new qdacco version (fixed bugs in qdacco, packaged with the upgrade from Qt 5 to Qt 6).
Carles reviewed and submitted translations to Catalan for adduser, apt, shadow, apt-listchanges.
Carles reviewed, created merge-requests for translations to Catalan of 38 packages (using po-debconf-manager tooling). Created 40 bug reports for some merge requests that haven’t been actioned for some time.
Colin Watson fixed 59 RC bugs (including 26 packages broken by the long-overdue removal of dh-python’s dependency on python3-setuptools), and upgraded 38 packages (mostly Python-related) to new upstream versions.
Colin worked with Pranav P to track down and fix a dnspython autopkgtest regression on s390x caused by an endianness bug in pylsqpack.
Colin fixed a time-based test failure in python-dateutil that would have triggered in 2027, and contributed the fix upstream.
Colin fixed debconf to automatically use the noninteractive frontend if stdin is not a terminal.
Stefano bisected and fixed a pypy translation regression on Debian stable and older on 32-bit ARM.
Emilio coordinated and helped finish various transitions in light of the transition freeze.
Thorsten Alteholz uploaded cups-filters to fix an FTBFS with a new upstream version of qpdf.
With the aim of enhancing the support for packages related to Software Bill of Materials (SBOMs) in recent industrial standards, Santiago has worked on finishing the packaging of and uploaded CycloneDX python library. There is on-going work about SPDX python tools, but it requires (build-)dependencies currently not shipped in Debian, such as owlrl and pyshacl.
Anupa worked with the Publicity team to announce the Debian 12.10 point release.
Anupa with the support of Santiago prepared an announcement and announced the opening of CfP and Registrations for DebConf 25.

ELA-1382-1 linux-6.1 security update (by )

Tue, 08 Apr 2025 11:23:55 +0200

Package : linux-6.1

Version : 6.1.129-1~deb9u1 (stretch), 6.1.129-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

ELA-1381-1 ruby2.1 security update (by )

Sun, 06 Apr 2025 22:49:44 +0200

Package : ruby2.1

Version : 2.1.5-2+deb8u16 (jessie)

Ruby, a popular scripting language, was affected by multiple vulnerabilities.

CVE-2025-27219

In the CGI gem, the CGI::Cookie.parse method in the CGI library
contains a potential Denial of Service (DoS) vulnerability.
The method does not impose any limit on the length of the raw cookie
value it processes. This oversight can lead to excessive
resource consumption when parsing extremely large cookies.

CVE-2025-27220

In the CGI gem, a Regular Expression Denial of Service (ReDoS)
vulnerability exists in the Util#escapeElement method.

CVE-2025-27221

In the URI gem, the URI handling methods
(URI.join, URI#merge, URI#+) have an inadvertent leakage of
authentication credentials because userinfo is retained
even after changing the host.

ELA-1380-1 openjpeg2 security update (by )

Fri, 04 Apr 2025 22:59:49 +0200

Package : openjpeg2

Version : 2.1.2-1.1+deb8u1 (jessie), 2.1.2-1.1+deb9u8 (stretch)

Several security vulnerabilities have been discovered in openjpeg2, a JPEG 2000 image library. Processing of maliciously crafted image files may trigger heap-based buffer overflows which may lead to an application crash or other undefined behavior.

In order to improve the error handling of openjpeg2 in jessie, the version was upgraded to 2.1.2, the same one as in stretch. This means long-standing minor issues CVE-2014-7947, CVE-2016-1923 and CVE-2016-3183 are also fixed in Debian 8 “jessie” now.

ELA-1379-1 openjpeg2 security update (by )

Fri, 04 Apr 2025 22:44:38 +0200

Package : openjpeg2

Version : 2.3.0-2+deb10u3 (buster)

ELA-1376-1 tomcat9 security update (by )

Fri, 04 Apr 2025 22:10:00 +0200

Package : tomcat9

Version : 9.0.31-1~deb10u14 (buster)

Related CVEs : CVE-2025-24813

It was found that a malicious user was able to view security sensitive files and/or inject content into those files when writes were enabled for the default servlet (disabled by default) and support for partial PUT was enabled (default). Under certain circumstances, depending on the application in use, remote code execution may have been possible.

ELA-1377-1 tomcat8 security update (by )

Fri, 04 Apr 2025 22:09:40 +0200

Package : tomcat8

Version : 8.0.14-1+deb8u29 (jessie), 8.5.54-0+deb9u18 (stretch)

Related CVEs : CVE-2025-24813

ELA-1378-1 tomcat7 security update (by )

Fri, 04 Apr 2025 22:09:19 +0200

Package : tomcat7

Version : 7.0.56-3+really7.0.109-1+deb8u8 (jessie)

Related CVEs : CVE-2025-24813

ELA-1375-1 shellinabox security update (by )

Fri, 04 Apr 2025 17:53:50 +0300

Package : shellinabox

Version : 2.21~deb9u1 (stretch)

Related CVEs : CVE-2018-16789

Denial of service with broken multipart/form-data has been fixed in shellinabox, a web server that can export arbitrary command line tools to a web based terminal emulator.

ELA-1374-1 ruby2.3 security update (by )

Thu, 03 Apr 2025 21:54:40 +0200

Package : ruby2.3

Version : 2.3.3-1+deb9u14 (stretch)

Ruby, a popular scripting language, was affected by multiple vulnerabilities.

CVE-2025-27219

In the CGI gem, the CGI::Cookie.parse method in the CGI library
contains a potential Denial of Service (DoS) vulnerability.
The method does not impose any limit on the length of the raw cookie
value it processes. This oversight can lead to excessive
resource consumption when parsing extremely large cookies.

CVE-2025-27220

In the CGI gem, a Regular Expression Denial of Service (ReDoS)
vulnerability exists in the Util#escapeElement method.

CVE-2025-27221

In the URI gem, the URI handling methods
(URI.join, URI#merge, URI#+) have an inadvertent leakage of
authentication credentials because userinfo is retained
even after changing the host.

ELA-1373-1 php-horde-turba regression update (by )

Thu, 03 Apr 2025 16:45:23 +0200

Package : php-horde-turba

Version : 4.2.23-1+deb10u2 (buster)

An error was introduced while fixing CVE-2022-30287 in Horde Turba, an address book component for the Horde groupware suite, see DLA 3090-1:

Note: while php-horde-turba is currently not supported, this update both fixes a regression and an issue on installation that hinders testing other supported php-horde-* packages.

ELA-1372-1 php-horde-imp security update (by )

Thu, 03 Apr 2025 16:40:39 +0200

Package : php-horde-imp

Version : 6.2.22-1+deb10u1 (buster)

Horde Editor, the HTML editor for the Horde groupware platform, relies on CKEditor v3. CKEditor v3 reached EOL and is not supported in Debian buster ELTS. This updates upgrades to CKEditor v4, as a first step to move to CKEditor v5.

Note: while php-horde-imp is currently not supported, this update is necessary to complete the CKEditor upgrade in php-horde-editor, which is supported, see ELA-1371-1.

ELA-1371-1 php-horde-editor security update (by )

Thu, 03 Apr 2025 16:39:27 +0200

Package : php-horde-editor

Version : 2.0.5+debian0-2+deb10u1 (buster)

ELA-1370-1 linux-5.10 security update (by )

Wed, 02 Apr 2025 13:25:40 +0200

Package : linux-5.10

Version : 5.10.234-1~deb8u2 (jessie), 5.10.234-1~deb9u1 (stretch), 5.10.234-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

ELA-1369-1 tzdata new timezone database (by )

Tue, 01 Apr 2025 13:52:23 +0200

Package : tzdata

Version : 2025b-0+deb8u1 (jessie), 2025b-0+deb9u1 (stretch), 2025b-0+deb10u1 (buster)

This update includes the changes in tzdata 2025b. Notable changes are:

New America/Coyhaique zone for Aysén Region in Chile, which moves from -04/-03 to -03. It will not change its clocks on 2025-04-05.

ELA-1368-1 freetype security update (by )

Tue, 01 Apr 2025 01:42:38 +0300

Package : freetype

Version : 2.6.3-3.2+deb9u4 (stretch), 2.9.1-3+deb10u4 (buster)

Related CVEs : CVE-2025-27363

An out of bounds write with subglyph structures has been fixed in the font rendering library FreeType.

ELA-1367-1 suricata security update (by )

Mon, 31 Mar 2025 23:37:13 +0200

Package : suricata

Version : 1:4.1.2-2+deb10u3 (buster)

Several issues have been found in suricata, the next Generation Intrusion Detection and Prevention Tool. They are related to bypass of HTTP-based signature, mishandling of multiple fragmented packets, logic errors, infinite loops and buffer overflows.

ELA-1366-1 libdata-entropy-perl security update (by )

Mon, 31 Mar 2025 15:11:12 +0300

Package : libdata-entropy-perl

Version : 0.007-3.1+deb11u1~deb10u1 (buster)

Related CVEs : CVE-2025-1860

The perl module Data::Entropy was using the cryptographically insecure rand() function as the default entropy source.

ELA-1365-1 amd64-microcode security update (by )

Mon, 31 Mar 2025 08:33:49 +0200

Package : amd64-microcode

Version : 3.20250311.1~deb8u1 (jessie), 3.20250311.1~deb9u1 (stretch), 3.20250311.1~deb10u1 (buster)

Related CVEs : CVE-2024-56161

A potential vulnerability has been found for certain AMD platforms which creates a possible confidential computing vulnerability.

AMD has released updated microcode to prevent an attacker from loading tampered microcode.

Additionally, an SEV firmware update might be required for some platforms to support SEV-SNP attestation, which may also necessitate a BIOS update.

For details please see the AMD security bulletin AMD-SB-3019.

CVE-2024-56161 (AMD-SB-3019):

Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privileges to load malicious CPU microcode resulting in loss of confidentiality and integrity of a confidential guest running under AMD SEV-SNP.

ELA-1364-1 intel-microcode security update (by )

Sun, 30 Mar 2025 12:46:44 +0200

Package : intel-microcode

Version : 3.20250211.1~deb8u1 (jessie), 3.20250211.1~deb9u1 (stretch), 3.20250211.1~deb10u1 (buster)

Microcode updates have been released for Intel(R) processors, addressing multiple potential vulnerabilties that may allow local privilege escalation, denial of service or information disclosure.

CVE-2023-34440 (INTEL-SA-01139)

Improper input validation in UEFI firmware for some Intel(R) Processors
may allow a privileged user to potentially enable escalation of
privilege via local access.

CVE-2023-43758 (INTEL-SA-01139)

Improper input validation in UEFI firmware for some Intel(R) processors
may allow a privileged user to potentially enable escalation of
privilege via local access.

CVE-2024-24582 (INTEL-SA-01139)

Improper input validation in XmlCli feature for UEFI firmware for some
Intel(R) processors may allow privileged user to potentially enable
escalation of privilege via local access.

CVE-2024-28047 (INTEL-SA-01139)

Improper input validation in UEFI firmware for some Intel(R) Processors
may allow a privileged user to potentially enable information disclosure
via local access.

CVE-2024-28127 (INTEL-SA-01139)

Improper input validation in UEFI firmware for some Intel(R) Processors
may allow a privileged user to potentially enable escalation of
privilege via local access.

CVE-2024-29214 (INTEL-SA-01139)

Improper input validation in UEFI firmware CseVariableStorageSmm for
some Intel(R) Processors may allow a privileged user to potentially
enable escalation of privilege via local access.

CVE-2024-31068 (INTEL-SA-01166)

Improper Finite State Machines (FSMs) in Hardware Logic for some
Intel(R) Processors may allow privileged user to potentially enable
denial of service via local access.

CVE-2024-31157 (INTEL-SA-01139)

Improper initialization in UEFI firmware OutOfBandXML module in some
Intel(R) Processors may allow a privileged user to potentially enable
information disclosure via local access.

CVE-2024-36293 (INTEL-SA-01213)

Improper access control in the EDECCSSA user leaf function for some
Intel(R) Processors with Intel(R) SGX may allow an authenticated user to
potentially enable denial of service via local access.

CVE-2024-37020 (INTEL-SA-01194)

Sequence of processor instructions leads to unexpected behavior in the
Intel(R) DSA V1.0 for some Intel(R) Xeon(R) Processors may allow an
authenticated user to potentially enable denial of service via local
access.

CVE-2024-39279 (INTEL-SA-01139)

Insufficient granularity of access control in UEFI firmware in some
Intel(R) processors may allow a authenticated user to potentially enable
denial of service via local access.

CVE-2024-39355 (INTEL-SA-01228)

Improper handling of physical or environmental conditions in some
Intel(R) Processors may allow an authenticated user to enable denial of
service via local access.

ELA-1363-1 librabbitmq security update (by )

Sun, 30 Mar 2025 11:37:56 +0200

Package : librabbitmq

Version : 0.5.2-2+deb8u2 (jessie)

Related CVEs : CVE-2023-35789

An issue has been found in librabbitmq, a AMQP client library and tools written in C. The issue is related to credential visibility when using the tools on the command line.

ELA-1362-1 librabbitmq security update (by )

Sun, 30 Mar 2025 11:32:08 +0200

Package : librabbitmq

Version : 0.8.0-1+deb9u1 (stretch), 0.9.0-0.2+deb10u1 (buster)

Related CVEs : CVE-2019-18609 CVE-2023-35789

Several issues have been found in librabbitmq, a AMQP client library and tools written in C. The issue are related to heap memory corruption due to integer overflow and credential visibility when using the tools on the command line.

ELA-1361-1 ffmpeg security update (by )

Sun, 30 Mar 2025 10:33:54 +0200

Package : ffmpeg

Version : 7:4.1.11-0+deb10u4 (buster)

Several issues have been found in ffmpeg, a library and tools for transcoding, streaming and playing of multimedia files. The issues are related to out-of-bounds read, assert errors and NULL pointer dereferences.

ELA-1360-1 ffmpeg security update (by )

Sun, 30 Mar 2025 09:55:33 +0200

Package : ffmpeg

Version : 7:3.2.19-0+deb9u7 (stretch)

ELA-1359-1 ruby2.5 security update (by )

Fri, 28 Mar 2025 21:51:17 +0000

Package : ruby2.5

Version : 2.5.5-3+deb10u10 (buster)

Ruby, a popular scripting language, was affected by multiple vulnerabilities.

CVE-2025-27219

In the CGI gem, the CGI::Cookie.parse method in the CGI library
contains a potential Denial of Service (DoS) vulnerability.
The method does not impose any limit on the length of the raw cookie
value it processes. This oversight can lead to excessive
resource consumption when parsing extremely large cookies.

CVE-2025-27220

In the CGI gem, a Regular Expression Denial of Service (ReDoS)
vulnerability exists in the Util#escapeElement method.

CVE-2025-27221

In the URI gem, the URI handling methods
(URI.join, URI#merge, URI#+) have an inadvertent leakage of
authentication credentials because userinfo is retained
even after changing the host.

ELA-1358-1 libxslt security update (by )

Fri, 28 Mar 2025 20:54:28 +0200

Package : libxslt

Version : 1.1.28-2+deb8u8 (jessie), 1.1.29-2.1+deb9u4 (stretch), 1.1.32-2.2~deb10u3 (buster)

Related CVEs : CVE-2024-55549 CVE-2025-24855

Two use-after-free vulnerabilities have been fixed in the XSLT processing library libxslt.

CVE-2024-55549

Use-after-free related to excluded namespaces

CVE-2025-24855

Use-after-free of XPath context node

Monthly report about Debian Long Term Support, February 2025 (by Roberto C. Sánchez)

Roberto C. Sánchez — Fri, 28 Mar 2025 00:00:00 +0000

Like each month, have a look at the work funded by Freexian’s Debian LTS offering.

Debian LTS contributors

In February, 18 contributors have been paid to work on Debian LTS, their reports are available:

Abhijith PA did 10.0h (out of 8.0h assigned and 6.0h from previous period), thus carrying over 4.0h to the next month.
Adrian Bunk did 12.0h (out of 0.0h assigned and 63.5h from previous period), thus carrying over 51.5h to the next month.
Andrej Shadura did 10.0h (out of 6.0h assigned and 4.0h from previous period).
Bastien Roucariès did 20.0h (out of 20.0h assigned).
Ben Hutchings did 12.0h (out of 8.0h assigned and 16.0h from previous period), thus carrying over 12.0h to the next month.
Chris Lamb did 18.0h (out of 18.0h assigned).
Daniel Leidert did 23.0h (out of 20.0h assigned and 6.0h from previous period), thus carrying over 3.0h to the next month.
Emilio Pozuelo Monfort did 53.0h (out of 53.0h assigned and 0.75h from previous period), thus carrying over 0.75h to the next month.
Guilhem Moulin did 11.0h (out of 3.25h assigned and 16.75h from previous period), thus carrying over 9.0h to the next month.
Jochen Sprickerhof did 27.0h (out of 30.0h assigned), thus carrying over 3.0h to the next month.
Lee Garrett did 11.75h (out of 9.5h assigned and 44.25h from previous period), thus carrying over 42.0h to the next month.
Markus Koschany did 40.0h (out of 40.0h assigned).
Roberto C. Sánchez did 7.0h (out of 14.75h assigned and 9.25h from previous period), thus carrying over 17.0h to the next month.
Santiago Ruano Rincón did 19.75h (out of 21.75h assigned and 3.25h from previous period), thus carrying over 5.25h to the next month.
Sean Whitton did 6.0h (out of 6.0h assigned).
Sylvain Beucler did 52.5h (out of 14.75h assigned and 39.0h from previous period), thus carrying over 1.25h to the next month.
Thorsten Alteholz did 11.0h (out of 11.0h assigned).
Tobias Frost did 17.0h (out of 17.0h assigned).

Evolution of the situation

In February, we have released 38 DLAs.

Notable security updates:
- pam-u2f, prepared by Patrick Winnertz, fixed an authentication bypass vulnerability
- openjdk-17, prepared by Emilio Pozuelo Monfort, fixed an authorization bypass/information disclosure vulnerability
- firefox-esr, prepared by Emilio Pozuelo Monfort, fixed several vulnerabilities
- thunderbird, prepared by Emilio Pozuelo Monfort, fixed several vulnerabilities
- postgresql-13, prepared by Christoph Berg, fixed an SQL injection vulnerability
- freerdp2, prepared by Tobias Frost, fixed several vulnerabilities
- openssh, prepared by Colin Watson, fixed a machine-in-the-middle vulnerability

LTS contributors Emilio Pozuelo Monfort and Santiago Ruano Rincón coordinated the administrative aspects of LTS updates of postgresql-13 and pam-u2f, which were prepared by the respective maintainers, to whom we are most grateful.

As has become the custom of the LTS team, work is under way on a number of package updates targeting Debian 12 (codename “bookworm”) with fixes for a variety of vulnerabilities. In February, Guilhem Moulin prepared an upload of sssd, while several other updates are still in progress. Bastien Roucariès prepared an upload of krb5 for unstable as well.

Given the importance of the Debian Security Tracker to the work of the LTS Team, we regularly contribute improvements to it. LTS contributor Emilio Pozuelo Monfort reviewed and merged a change to improve performance, and then dealt with unexpected issues that arose as a result. He also made improvements in the processing of CVEs which are not applicable to Debian.

Looking to the future (the release of Debian 13, codename “trixie”, and beyond), LTS contributor Santiago Ruano Rincón has initiated a conversation among the broader community involved in the development of Debian. The purpose of the discussion is to explore ways to improve the long term supportability of packages in Debian, specifically by focusing effort on ensuring that each Debian release contains the “best” supported upstream version of packages with a history of security issues.

Thanks to our sponsors

Sponsors that joined recently are in bold.

Platinum sponsors:
- Toshiba Corporation (for 113 months)
- Civil Infrastructure Platform (CIP) (for 81 months)
- VyOS Inc (for 46 months)
Gold sponsors:
- Roche Diagnostics International AG (for 124 months)
- Akamai - Linode (for 118 months)
- Babiel GmbH (for 107 months)
- Plat’Home (for 107 months)
- University of Oxford (for 64 months)
- Deveryware (for 51 months)
- EDF SA (for 35 months)
- Dataport AöR (for 11 months)
- CERN (for 8 months)
Silver sponsors:
- Domeneshop AS (for 128 months)
- Nantes Métropole (for 122 months)
- Univention GmbH (for 114 months)
- Université Jean Monnet de St Etienne (for 114 months)
- Ribbon Communications, Inc. (for 108 months)
- Exonet B.V. (for 98 months)
- Leibniz Rechenzentrum (for 92 months)
- Ministère de l’Europe et des Affaires Étrangères (for 76 months)
- Cloudways by DigitalOcean (for 65 months)
- Dinahosting SL (for 63 months)
- Bauer Xcel Media Deutschland KG (for 58 months)
- Platform.sh SAS (for 58 months)
- Moxa Inc. (for 52 months)
- sipgate GmbH (for 49 months)
- OVH US LLC (for 47 months)
- Tilburg University (for 47 months)
- GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 39 months)
- Soliton Systems K.K. (for 36 months)
- THINline s.r.o. (for 12 months)
- Copenhagen Airports A/S (for 5 months)
Bronze sponsors:
- Evolix (for 129 months)
- Seznam.cz, a.s. (for 129 months)
- Linuxhotel GmbH (for 126 months)
- Intevation GmbH (for 125 months)
- Daevel SARL (for 124 months)
- Bitfolk LTD (for 123 months)
- Megaspace Internet Services GmbH (for 123 months)
- Greenbone AG (for 122 months)
- NUMLOG (for 122 months)
- WinGo AG (for 122 months)
- Entr’ouvert (for 113 months)
- Adfinis AG (for 111 months)
- GNI MEDIA (for 105 months)
- Laboratoire LEGI - UMR 5519 / CNRS (for 105 months)
- Tesorion (for 105 months)
- Bearstech (for 97 months)
- LiHAS (for 97 months)
- Catalyst IT Ltd (for 91 months)
- Supagro (for 87 months)
- Demarcq SAS (for 85 months)
- Université Grenoble Alpes (for 71 months)
- TouchWeb SAS (for 64 months)
- SPiN AG (for 60 months)
- CoreFiling (for 56 months)
- Institut des sciences cognitives Marc Jeannerod (for 51 months)
- Observatoire des Sciences de l’Univers de Grenoble (for 48 months)
- Tem Innovations GmbH (for 43 months)
- WordFinder.pro (for 42 months)
- CNRS DT INSU Résif (for 41 months)
- Alter Way (for 34 months)
- Institut Camille Jordan (for 24 months)
- SOBIS Software GmbH (for 8 months)
- Tuxera Inc.

ELA-1357-1 clamav security update (by )

Wed, 26 Mar 2025 15:34:40 -0300

Package : clamav

Version : 1.0.7+dfsg-1~deb9u1 (stretch)

This update brings ClamAV 1.0.7, which comes with the ability to keep downloading the bytecode database (the previous version will be declared EOL by upstream soon and lose that ability).

The following packages were updated/introduced to the archive to allow the new ClamAV build. An important side note is that those packages will not become officially supported:

libarchive-latest/t3.3.3-4~deb9u1
libuv1-latest/1.24.1-1~deb9u1
cmake-latest/3.18.4-2~deb9u1
protobuf-latest/3.6.1.3-2~deb9u1
grpc/1.16.1-1~deb9u1
llvm-toolchain-13/1:13.0.1-6~deb9u1
rustc-mozilla/1.63.0+dfsg1-2~deb9u1
cargo-mozilla/0.66.0+ds1-1~deb9u1

The following packages were also updated due to the new ClamAV library package:

dansguardian/2.10.1.1-5.1+deb9u3
havp/0.92a-4+deb9u2
c-icap-modules/1:0.4.4-1+deb9u3
libclamunrar/1.0.3-1~deb9u1
python-clamav/0.4.1-8+deb9u2

ELA-1356-1 python-django security update (by )

Wed, 26 Mar 2025 12:10:39 +0000

Package : python-django

Version : 1.7.11-1+deb8u19 (jessie), 1:1.10.7-2+deb9u25 (stretch), 1:1.11.29-1+deb10u14 (buster)

Related CVEs : CVE-2025-26699

It was discovered that there was a potential denial-of-service (DoS) vulnerability in Django, a Python-based web development framework.

The issue was situated in the wrap() method of the django.utils.text module. This method and the |wordwrap template filter were subject to a potential DoS attack when used with very long strings.

ELA-1355-1 lighttpd security update (by )

Mon, 24 Mar 2025 20:55:39 -0300

Package : lighttpd

Version : 1.4.45-1+deb9u2 (stretch)

Related CVEs : CVE-2018-25103

Fix use-after-free vulnerabilities in request parsing which might read from invalid pointers to memory used in the same request, not from other requests.

ELA-1354-1 ruby-rack security update (by )

Mon, 24 Mar 2025 23:57:51 +0200

Package : ruby-rack

Version : 1.6.4-4+deb9u7 (stretch), 2.0.6-3+deb10u5 (buster)

Multiple vulnerabilities have been fixed in ruby-rack, an interface for developing web applications in Ruby.

CVE-2025-25184

Log Injection in Rack::CommonLogger

CVE-2025-27111

Log Injection in Rack::Sendfile

CVE-2025-27610

Local file inclusion in Rack::Static

ELA-1353-1 tzdata new timezone database (by )

Tue, 18 Mar 2025 19:45:47 +0100

Package : tzdata

Version : 2025a-0+deb8u1 (jessie), 2025a-0+deb9u1 (stretch), 2025a-0+deb10u1 (buster)

This update includes the changes in tzdata 2025a. Notable changes are:

Paraguay adopts permanent -03 starting in spring 2024.
Updated leap second list, which was set to expire by the end of June.

ELA-1352-1 gnutls28 security update (by )

Sun, 16 Mar 2025 20:45:45 +0100

Package : gnutls28

Version : 3.3.30-0+deb8u3 (jessie), 3.5.8-5+deb9u8 (stretch), 3.6.7-4+deb10u13 (buster)

Related CVEs : CVE-2024-12243

Bing Shi discovered that certificate data with a large number of names or name constraints were handled inefficiently, which may lead to Denial of Service upon specially crafted certificates.

ELA-1351-1 squid3 security update (by )

Sun, 16 Mar 2025 18:15:33 +0100

Package : squid3

Version : 3.5.23-5+deb8u8 (jessie), 3.5.23-5+deb9u11 (stretch)

Several security vulnerabilities have been discovered in Squid, a full featured web proxy cache.

CVE-2024-25617

A Denial of Service attack against HTTP header parsing. This problem allows
a remote client or a remote server to perform Denial of Service when
sending oversized headers in HTTP messages.

CVE-2024-37894

Due to an Out-of-bounds Write error when assigning ESI variables, Squid is
susceptible to a Memory Corruption error. This error can lead to a Denial
of Service attack.

CVE-2024-45802

Disable ESI feature support. Due to Input Validation, Premature Release of
Resource During Expected Lifetime, and Missing Release of Resource after
Effective Lifetime bugs, Squid is vulnerable to Denial of Service attacks
by a trusted server against all clients using the proxy. This problem is
fixed by changing the build configuration to specify the --disable-esi
option.

ELA-1349-1 python2.7 security update (by )

Fri, 14 Mar 2025 15:22:58 +0100

Package : python2.7

Version : 2.7.9-2-ds1-1+deb8u13 (jessie)

Multiple security issues were discovered in Python, an interactive high-level object-oriented language. This may cause e-mail header injection, memory leak, improper validation and denial of service (DoS).

CVE-2023-27043

The email module of Python incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup).
CVE-2024-5642

CPython doesn’t disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).
CVE-2024-6232

Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.
CVE-2024-6923

The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.
CVE-2024-7592

When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.
CVE-2024-11168

The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts ([]), allowing hosts that weren’t IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.
CVE-2025-0938

urllib.parse.urlsplit and urlparse accepted domain names that included square brackets which isn’t valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.

ELA-1348-1 python2.7 security update (by )

Fri, 14 Mar 2025 15:22:47 +0100

Package : python2.7

Version : 2.7.13-2+deb9u10 (stretch)

Multiple security issues were discovered in Python, an interactive high-level object-oriented language. This may cause e-mail header injection, memory corruption, memory leak, improper validation and denial of service (DoS).

CVE-2023-27043

The email module of Python incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup).
CVE-2024-0397

memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()” in the “ssl” module. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured.
CVE-2024-5642

CPython doesn’t disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).
CVE-2024-6232

Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.
CVE-2024-6923

The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.
CVE-2024-7592

When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.
CVE-2024-11168

The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts ([]), allowing hosts that weren’t IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.
CVE-2025-0938

urllib.parse.urlsplit and urlparse accepted domain names that included square brackets which isn’t valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.

ELA-1350-1 pypy security update (by )

Fri, 14 Mar 2025 15:11:13 +0100

Package : pypy

Version : 5.6.0+dfsg-4+deb9u2 (stretch), 7.0.0+dfsg-3+deb10u2 (buster)

Multiple vulnerabilities were discovered in PyPy, a fast, compliant alternative implementation of the Python language.

All fixed vulnerabilities come from embedded code copies.

For vulnerabilities from the python2.7 standard library, please refer to ELA-1349-1.

ELA-1347-1 python2.7 security update (by )

Fri, 14 Mar 2025 15:08:51 +0100

Package : python2.7

Version : 2.7.16-2+deb10u5 (buster)

Multiple security issues were discovered in Python, an interactive high-level object-oriented language. This may cause e-mail header injection, memory corruption, improper validation and denial of service (DoS).

CVE-2023-27043

The email module of Python incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup).
CVE-2024-0397

memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()” in the “ssl” module. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured.
CVE-2024-6232

Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.
CVE-2024-6923

The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.
CVE-2024-7592

When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.
CVE-2024-11168

The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts ([]), allowing hosts that weren’t IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.
CVE-2025-0938

urllib.parse.urlsplit and urlparse accepted domain names that included square brackets which isn’t valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.

ELA-1346-1 gst-plugins-good1.0 security update (by )

Thu, 13 Mar 2025 18:01:50 +0000

Package : gst-plugins-good1.0

Version : 1.14.4-1+deb10u4 (buster)

ELA-1345-1 squid security update (by )

Tue, 11 Mar 2025 14:24:36 +0100

Package : squid

Version : 4.6-1+deb10u11 (buster)

Several security vulnerabilities have been discovered in Squid, a full featured web proxy cache.

CVE-2024-23638

A Denial of Service attack against Cache Manager error responses. This
problem allows a trusted client to perform Denial of Service when
generating error pages for Client Manager reports.

CVE-2024-25111

A possible Denial of Service attack against HTTP Chunked decoder due to an
uncontrolled recursion bug. This problem allows a remote attacker to cause
Denial of Service when sending a crafted, chunked, encoded HTTP Message.

CVE-2024-25617

A Denial of Service attack against HTTP header parsing. This problem allows
a remote client or a remote server to perform Denial of Service when
sending oversized headers in HTTP messages.

CVE-2024-37894

Due to an Out-of-bounds Write error when assigning ESI variables, Squid is
susceptible to a Memory Corruption error. This error can lead to a Denial
of Service attack.

CVE-2024-45802

Disable ESI feature support. Due to Input Validation, Premature Release of
Resource During Expected Lifetime, and Missing Release of Resource after
Effective Lifetime bugs, Squid is vulnerable to Denial of Service attacks
by a trusted server against all clients using the proxy. This problem is
fixed by changing the build configuration to specify the --disable-esi
option.

Debian Contributions: Debian.Social administration, DebConf 25 preparations, Fixing Time-based test failure in Python requests package and more! (by Anupa Ann Joseph)

Anupa Ann Joseph — Tue, 11 Mar 2025 00:00:00 +0000

Debian Contributions: 2025-02

Debian.Social administration, by Stefano Rivera

Over the last year, the Debian.social services outgrew the infrastructure that was supporting them. The matrix bridge in particular was hosted on a cloud instance backed by a large expensive storage volume. Debian.CH rented a new large physical server to host all these instances, earlier this year. Stefano set up Incus on the new physical machine and migrated all the old debian.social LXC Containers, libvirt VMs, and cloud instances into Incus-managed LXC containers.

Stefano set up Prometheus monitoring and alerts for the new infrastructure and a Grafana dashboard. The current stack of debian.social services seem to comfortably fit on the new machine, with good room to grow.

DebConf 25, by Santiago Ruano Rincón and Stefano Rivera

DebConf 25 preparations continue. The team is currently finalizing a budget. Stefano helped to review the current budget proposals and suggest approaches for balancing it.

Stefano installed a Zammad instance to organize queries from attendees, for the registration and visa teams.

Santiago continued discussions with possible caterers so we can have options for the different diet requirements and that could fit into the DebConf budget. Also, in collaboration with Anupa, Santiago pushed the first draft changes to document the venue information in the DebConf 25 website and how to get to Brest.

Time-based test failure in requests, by Colin Watson

Colin fixed a fun bug in the Python requests package. Santiago Vila has been running tests of what happens when Debian packages are built on a system in which time has been artificially set to somewhere around the end of the support period for the next Debian release, in order to make it easier to do things like issuing security updates for the lifetime of that release. In this case, the failure indicated an expired test certificate, and since the repository already helpfully included scripts to regenerate those certificates, it seemed natural to try regenerating them just before running tests. However, this failed for more obscure reasons and Colin spent some time investigating. This turned out to be because the test CA was missing the CA constraint and so recent versions of OpenSSL reject it; Colin sent a pull request to fix this.

Priority list for outdated packages, by Santiago Ruano Rincón

Santiago started a discussion on debian-devel about packages that have a history of security issues and that are outdated regarding new upstream releases. The goal of the mentioned effort is to have a prioritized list of packages needing some work, from a security point of view. Moreover, the aim of publicly sharing the list of packages with the Debian Developers community is to make it easier to look at the packages maintained by teams, or even other maintainers’ where help could be welcome. Santiago is planning to take into account the feedback provided in debian-devel and to propose a tooling that could help to regularly bring collective awareness of these packages.

Miscellaneous contributions

Carles worked on English to Catalan po-debconf translations: reviewed translations, created merge requests and followed up with developers for more than 30 packages using po-debconf-manager.
Carles helped users, fixed bugs and implemented downloading updated templates on po-debconf-manager.
Carles packaged a new upstream version of python-pyaarlo.
Carles improved reproducibility of qnetload (now reported as reproducible) and simplemonitor (followed up with upstream and pending update of Debian package).
Carles collaborated with debian-history package: fixed FTBFS from master branch, enabled salsa-ci and investigated reproducibility.
Emilio improved support for automatically marking CVEs as NOT-FOR-US in the security-tracker, closing #1073012.
Emilio updated xorg-server and xwayland in unstable, fixing the last round of security vulnerabilities.
Stefano prepared a few PyPy and cPython uploads, and started the python3.13-only transition.
Helmut Grohne sent patches for 24 cross build failures.
Helmut fixed two problems in the Debian /usr-merge analysis tool. In one instance, it would overmatch Debian bugs to issues and in another it would fail to recognize Pre-Depends as a conflict mechanism.
Helmut attempted making rebootstrap work for gcc-15 with limited success as very many packages FTBFS with gcc-15 due to using function declarations without arguments.
Helmut provided a change to the security-tracker that would pre-compute /data/json during database updates rather than on demand resulting in a reduced response time.
Colin uploaded OpenSSH security updates for testing/unstable, bookworm, bullseye, buster, and stretch.
Colin fixed upstream monitoring for 26 Python packages, and upgraded 54 packages (mostly Python-related, but also PuTTY) to new upstream versions.
Colin updated python-django in bookworm-backports to 4.2.18 (issuing BSA-121), and added new backports of python-django-dynamic-fixture and python-django-pgtrigger, all of which are dependencies of debusine.
Thorsten Alteholz finally managed to upload hplip to fix two release critical and some normal bugs. The next step in March would be to upload the latest version of hplip.
Faidon updated crun in unstable & trixie, resolving a long-standing request of enabling criu support and thus enabling podman with checkpoint/restore functionality (With gratitude to Salvatore Bonaccorso and Reinhard Tartler for the cooperation and collaboration).
Faidon uploaded a number of packages (librdkafka, libmaxminddb, python-maxminddb, lowdown, tox, tox-uv, pyproject-api, xiccd and gdnsd) bringing them up to date with new upstream releases, resolving various bugs.
Lucas Kanashiro uploaded some ruby packages involved in the Rails 7 transition with new upstream releases.
Lucas triaged a ruby3.1 bug (#1092595)) and prepared a fix for the next stable release update.
Lucas set up the needed wiki pages and updated the Debian Project status in the Outreachy portal, in order to send out a call for projects and mentors for the next round of Outreachy.
Anupa joined Santiago to prepare a list of companies to contact via LinkedIn for DebConf 25 sponsorship.
Anupa printed Debian stickers and sponsorship brochures, flyers for DebConf 25 to be distributed at FOSS ASIA summit 2025.
Anupa participated in the Debian publicity team meeting and discussed the upcoming events and tasks.
Raphaël packaged zim 0.76.1 and integrated an upstream patch for another regression that he reported.
Raphaël worked with the Debian System Administrators for tracker.debian.org to better cope with gmail’s requirement for mails to be authenticated.

ELA-1344-1 commons-beanutils security update (by )

Sun, 09 Mar 2025 23:29:38 +0200

Package : commons-beanutils

Version : 1.9.3-1+deb10u1 (buster)

Related CVEs : CVE-2019-10086

Arbitrary code execution was possible by default in Apache Commons BeanUtils, Java classes for working with JavaBeans classes.

If needed, users can restore the previous default with

final BeanUtilsBean bub = new BeanUtilsBean(); 
bub.getPropertyUtils().removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);

ELA-1343-1 proftpd-dfsg security update (by )

Sun, 09 Mar 2025 15:30:32 +0000

Package : proftpd-dfsg

Version : 1.3.5e+r1.3.5b-4+deb9u4 (stretch), 1.3.6-4+deb10u7 (buster)

Multiple vulnerabilities were fixed in ProFTPD, a popular FTP server.

CVE-2023-48795:

The SSH transport protocol with certain OpenSSH extensions like the SFTP implementation found in ProFTPD, allows remote attackers
to bypass integrity checks such that some packets are omitted (from the extension negotiation message),
and a client and server may consequently end up with a connection for which some security features have been downgraded
or disabled.

This attack is also known as the Terrapin attack.

CVE-2023-51713:

The make_ftp_cmd function in ProFTPD has a one-byte out-of-bounds read.

CVE-2024-48651:

A user with no supplemental groups will incorrectly inherit supplemental groups
from the parent process. The parent process retains supplemental GID 0, which is inherited by child
processes and not overwritten if the authenticated user has no supplemental groups.

CVE-2024-57392:

A Buffer Overflow vulnerability allowed a remote attacker to execute arbitrary code (RCE) and can cause a
Denial of Service (DoS) on the FTP service by sending a maliciously crafted message to the ProFTPD service port.

Moreover two important bugs were fixed on this release

Blastradius fix:

Fix the computation of the RADIUS Message-Authenticator signature to conform
more properly to RFC 2869, and allow RADIUS authentification to work against
mitigations of CVE-2024-3596.

Debian bug #1090813:

The PassivePorts directive can cause proftpd to swap data streams across
clients when the server is in passive mode.

ELA-1342-1 log4net security update (by )

Sun, 09 Mar 2025 13:32:49 +0200

Package : log4net

Version : 1.2.10+dfsg-8~deb10u1 (buster)

Related CVEs : CVE-2018-1285

XML external entities were not disabled when parsing configuration files in log4net, a logging library for the Common Language Infrastructure (Mono, .NET).

ELA-1341-1 sqlparse security update (by )

Sat, 08 Mar 2025 07:54:48 +0100

Package : sqlparse

Version : 0.1.13-2+deb8u1 (jessie), 0.2.2-1+deb9u2 (stretch), 0.2.4-1+deb10u2 (buster)

Related CVEs : CVE-2024-4340

Uriya Yavniely discovered that passing a heavily nested list to sqlparse.parse() may raise a RecursionError exception, which may lead to denial of service.

A generic SQLParseError is now raised instead.

ELA-1340-1 emacs24 security update (by )

Wed, 05 Mar 2025 18:16:25 +0800

Package : emacs24

Version : 24.4+1-5+deb8u6 (jessie), 24.5+1-11+deb9u6 (stretch)

Multiple problems were discovered in GNU Emacs, the extensible, customisable, self-documenting real-time display editor.

CVE-2022-45939

Improper use of the system C library function in Emacs’s implementation of the ctags program could permit shell metacharcater injection when used on untrusted input source code.

CVE-2024-53920

Several ways to trigger arbitrary code execution were discovered in Emacs’s support for editing files in its own dialect of Lisp. These include arbitrary code execution upon opening an otherwise innocent-looking file, with any (or no) file extension, for editing.

CVE-2025-1244

Improper handling of custom ‘man’ URI schemes could allow an attacker to execute arbitrary shell commands by tricking users into visiting a specially crafted website, or an HTTP URL with a redirect.

ELA-1339-1 linux-6.1 security update (by )

Sun, 02 Mar 2025 17:18:00 +0100

Package : linux-6.1

Version : 6.1.128-1~deb9u1 (stretch), 6.1.128-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

ELA-1338-1 nodejs security update (by )

Sun, 02 Mar 2025 11:06:01 +0000

Package : nodejs

Version : 10.24.0~dfsg-1~deb10u5 (buster)

Related CVEs : CVE-2025-23085

A vulnerability was fixed in Node.js, a popular JavaScript runtime implementation.

A memory leak could occur when a remote peer (client) abruptly closes an HTTP/2 socket without sending a GOAWAY notification. Additionally, the same leak could be triggered if an invalid header is detected by nghttp2, causing the connection to be terminated by the peer.

This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects Node.js HTTP/2 Server users.

ELA-1337-1 xorg-server security update (by )

Sat, 01 Mar 2025 00:23:25 +0100

Package : xorg-server

Version : 2:1.16.4-1+deb8u18 (jessie), 2:1.19.2-1+deb9u21 (stretch), 2:1.20.4-1+deb10u16 (buster)

Jan-Niklas Sohn discovered several vulnerabilities in the Xorg X server, which may result in privilege escalation if the X server is running privileged.

ELA-822-2 amanda regression update (by )

Sat, 01 Mar 2025 00:02:49 +0100

Package : amanda

Version : 1:3.3.9-5+deb9u3 (stretch)

A fix of CVE-2022-37704 for amanda, the Advanced Maryland Automatic Network Disk Archiver, has been found incomplete. This update fixes handling of RSH environment variables and uses a correct check for dump/xfsdump.

ELA-1336-1 libtasn1-6 security update (by )

Fri, 28 Feb 2025 18:25:03 +0100

Package : libtasn1-6

Version : 4.2-3+deb8u6 (jessie), 4.10-1.1+deb9u3 (stretch), 4.13-3+deb10u2 (buster)

Related CVEs : CVE-2024-12133

Bing Shi discovered that certificate data with a large number of names or name constraints were handled inefficiently, which may lead to Denial of Service upon specially crafted certificates.

ELA-1331-1 dnsmasq security update (by )

Fri, 28 Feb 2025 14:24:49 +0100

Package : dnsmasq

Version : 2.72-3+deb8u8 (jessie), 2.76-5+deb9u5 (stretch)

Related CVEs : CVE-2023-50387 CVE-2023-50868

Two vulnerabilities were found in dnsmasq, a small caching DNS proxy and DHCP/TFTP server, which could lead to denial of service by querying specially crafted DNS resource records in control of an attacker.

CVE-2023-50387

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840,
and related RFCs) allow remote attackers to cause a denial of service (CPU
consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One
of the concerns is that, when there is a zone with many DNSKEY and RRSIG
records, the protocol specification implies that an algorithm must evaluate
all combinations of DNSKEY and RRSIG records.

CVE-2023-50868

The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC
9276 guidance is skipped) allows remote attackers to cause a denial of
service (CPU consumption for SHA-1 computations) via DNSSEC responses in a
random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification
implies that an algorithm must perform thousands of iterations of a hash
function in certain situations.

For jessie and stretch, DNSSEC support has been disabled, as a backport of the fix was deemed too disruptive. Administrators can still validate DNS lookups on downstream clients by installing a validating resolver there. For administrators that require DNSSEC support in dnsmasq, we recommend upgrading to at least buster.

ELA-1335-1 emacs25 security update (by )

Fri, 28 Feb 2025 17:03:41 +0800

Package : emacs25

Version : 25.1+1-4+deb9u6 (stretch)

Related CVEs : CVE-2024-53920 CVE-2025-1244

Multiple problems were discovered in GNU Emacs, the extensible, customisable, self-documenting real-time display editor.

CVE-2024-53920

CVE-2025-1244

ELA-1334-1 emacs security update (by )

Fri, 28 Feb 2025 17:02:42 +0800

Package : emacs

Version : 1:26.1+1-3.2+deb10u7 (buster)

Related CVEs : CVE-2024-53920 CVE-2025-1244

Multiple problems were discovered in GNU Emacs, the extensible, customisable, self-documenting real-time display editor.

CVE-2024-53920

CVE-2025-1244

ELA-1333-1 ruby2.1 security update (by )

Thu, 27 Feb 2025 19:27:49 +0000

Package : ruby2.1

Version : 2.1.5-2+deb8u15 (jessie)

Multiple vulnerabilities were found in ruby a popular programming language.

CVE-2024-35176

The REXML gem has a Denial of Service (DoS) vulnerability
when it parses an XML that has many <s in
an attribute value. Those who need to parse
untrusted XMLs may be impacted to this vulnerability.

CVE-2024-39908

The REXML gem has some Denial of Service (DoS) vulnerabilities
when it parses an XML that has many specific characters such
as <, 0 and %>. If you need to parse untrusted XMLs,
you many be impacted to these vulnerabilities.

CVE-2024-41123

The REXML gem has some DoS vulnerabilities when it parses an XML
that has many specific characters such as whitespace character,
>] and ]>.

CVE-2024-41123

The REXML gem has some Denial of Service (DoS) vulnerabilities
when it parses an XML that has many specific characters
such as whitespace character, >] and ]>.
If you need to parse untrusted XMLs, you may be impacted
to these vulnerabilities.

CVE-2024-41946

The REXML gem had a Denial of Service (DoS) vulnerability
when it parses an XML that has many entity expansions
with SAX2 or pull parser API.

CVE-2024-43398

REXML is an XML toolkit for Ruby.
The REXML gem before 3.3.6 has a Denial of Service (DoS)
vulnerability when it parses an XML that has many deep
elements that have same local name attributes.
If you need to parse untrusted XMLs with tree parser
API like REXML::Document.new, you may be impacted
to this vulnerability. If you use other parser APIs
such as stream parser API and SAX2 parser API,
you are not impacted.

CVE-2024-49761

REXML is an XML toolkit for Ruby.
The REXML gem before 3.3.9 has a ReDoS vulnerability
when it parses an XML that has many digits between
&# and x...; in a hex numeric character reference (&#x...;)

ELA-1332-1 apache2 security update (by )

Thu, 27 Feb 2025 19:13:28 +0000

Package : apache2

Version : 2.4.10-10+deb8u30 (jessie)

Related CVEs : CVE-2024-38473

apache2 a popular webserver was affected by a vulnerability.

Encoding problem allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests.

ELA-1330-1 ruby2.3 security update (by )

Tue, 25 Feb 2025 16:42:18 +0000

Package : ruby2.3

Version : 2.3.3-1+deb9u13 (stretch)

Multiple vulnerabilities were found in ruby a popular programming language.

CVE-2024-35176

The REXML gem has a Denial of Service (DoS) vulnerability
when it parses an XML that has many <s in
an attribute value. Those who need to parse
untrusted XMLs may be impacted to this vulnerability.

CVE-2024-39908

The REXML gem has some Denial of Service (DoS) vulnerabilities
when it parses an XML that has many specific characters such
as <, 0 and %>. If you need to parse untrusted XMLs,
you many be impacted to these vulnerabilities.

CVE-2024-41123

The REXML gem has some Denial of Service (DoS) vulnerabilities
when it parses an XML that has many specific characters
such as whitespace character, >] and ]>.
If you need to parse untrusted XMLs, you may be impacted
to these vulnerabilities.

CVE-2024-41123

The REXML gem has some DoS vulnerabilities when it parses an XML
that has many specific characters such as whitespace character,
>] and ]>.

CVE-2024-41946

The REXML gem had a Denial of Service (DoS) vulnerability
when it parses an XML that has many entity expansions
with SAX2 or pull parser API.

CVE-2024-43398

REXML is an XML toolkit for Ruby.
The REXML gem before 3.3.6 has a Denial of Service (DoS)
vulnerability when it parses an XML that has many deep
elements that have same local name attributes.
If you need to parse untrusted XMLs with tree parser
API like REXML::Document.new, you may be impacted
to this vulnerability. If you use other parser APIs
such as stream parser API and SAX2 parser API,
you are not impacted.

CVE-2024-49761

REXML is an XML toolkit for Ruby.
The REXML gem before 3.3.9 has a ReDoS vulnerability
when it parses an XML that has many digits between
&# and x...; in a hex numeric character reference (&#x...;)

ELA-1329-1 apache2 security update (by )

Tue, 25 Feb 2025 16:37:18 +0000

Package : apache2

Version : 2.4.25-3+deb9u20 (stretch)

Related CVEs : CVE-2024-38473

apache2 a popular webserver was affected by a vulnerability.

Encoding problem allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests.

ELA-1328-1 krb5 security update (by )

Mon, 24 Feb 2025 21:31:08 +0000

Package : krb5

Version : 1.12.1+dfsg-19+deb8u10 (jessie), 1.15-1+deb9u7 (stretch), 1.17-3+deb10u8 (buster)

Related CVEs : CVE-2025-24528

MIT krb5 a popular implementation of kerberos 5 authentication protocol was affected by a vulnerability.

An authenticated attacker can cause kadmind to write beyond the end of the mapped region for the iprop log file, likely causing a process crash.

ELA-1327-1 libxml2 security update (by )

Mon, 24 Feb 2025 18:58:28 +0100

Package : libxml2

Version : 2.9.1+dfsg1-5+deb8u18 (jessie), 2.9.4+dfsg1-2.2+deb9u12 (stretch), 2.9.4+dfsg1-7+deb10u10 (buster)

Multiple vulnerabilities have been found in libxml2, a library providing support to read, modify and write XML and HTML files. These vulnerabilities could potentially lead to denial of servie or other unintended behaviors.

CVE-2022-49043

xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.

CVE-2023-39615 (Stretch only)

libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at 
/libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor's position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input.

CVE-2023-45322 (Stretch only)

libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail."

CVE-2024-25062 (Stretch only)

An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

CVE-2024-56171

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.

CVE-2025-24928

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047.

CVE-2025-27113

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.

ELA-1325-1 bind9 security update (by )

Fri, 21 Feb 2025 09:55:59 +0100

Package : bind9

Version : 1:9.10.3.dfsg.P4-12.3+deb9u18 (stretch), 1:9.11.5.P4+dfsg-5.1+deb10u14 (buster)

Related CVEs : CVE-2024-11187

One vulnerability was discovered in BIND, a DNS server implementation, which may result in denial of service.

It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Zones will usually need to have been deliberately crafted to exploit this flaw.

ELA-1326-1 python-urllib3 security update (by )

Fri, 21 Feb 2025 00:59:00 +0100

Package : python-urllib3

Version : 1.9.1-3+deb8u3 (jessie), 1.19.1-1+deb9u3 (stretch), 1.24.1-1+deb10u3 (buster)

Related CVEs : CVE-2024-37891

It was discovered that when sending HTTP requests without using urllib3’s proxy support, it’s possible to accidentally set the Proxy-Authorization header even though it won’t have any effect as the request is not using a forwarding proxy or a tunneling proxy.

In those cases, urllib3 doesn’t treat the Proxy-Authorization HTTP header as one carrying authentication material and thus doesn’t strip the header on cross-origin redirects, which might lead to authorization bypass.

ELA-1324-1 openssh security update (by )

Thu, 20 Feb 2025 19:42:59 +0100

Package : openssh

Version : 1:7.4p1-10+deb9u10 (stretch), 1:7.9p1-10+deb10u5 (buster)

Related CVEs : CVE-2025-26465

The Qualys Threat Research Unit (TRU) discovered that the OpenSSH client is vulnerable to a machine-in-the-middle attack if the VerifyHostKeyDNS option is enabled (disabled by default).

The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). This issue was assigned CVE-2020-14145. Completely removing this information leak would cause other problems, but this update includes a partial mitigation by preferring the default ordering if the user has a key that matches the best-preference default algorithm.

In addition, the stretch update fixes a regression introduced with the fix for CVE-2023-48795, which could cause segmentation faults under some circumstances.

ELA-1323-1 pypy security update (by )

Fri, 14 Feb 2025 10:27:25 +0100

Package : pypy

Version : 7.0.0+dfsg-3+deb10u1 (buster)

Multiple vulnerabilities were discovered in PyPy, a fast, compliant alternative implementation of the Python language.

All fixed vulnerabilities come from embedded code copies.

For vulnerabilities from the python2.7 standard library, please refer to:

One vulnerability comes from internal python2.7 C code copy, Pypy is only affected when making use of the compatibility layer for Python C extension (cpyext):

CVE-2014-7185

Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a “buffer” function.

The remaining minor vulnerability comes from a python-pi embedded copy. We believe it is not exploitable, as the bundled py module is only used during package build, but it is included for consistency with pypy3 DLA-3966-1:

CVE-2020-29651

A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.

ELA-1322-1 pypy security update (by )

Fri, 14 Feb 2025 10:27:12 +0100

Package : pypy

Version : 5.6.0+dfsg-4+deb9u1 (stretch)

Multiple vulnerabilities were discovered in PyPy, a fast, compliant alternative implementation of the Python language.

All fixed vulnerabilities come from embedded code copies.

For vulnerabilities from the python2.7 standard library, please refer to:

One vulnerability comes from internal python2.7 C code copy, Pypy is only affected when making use of the compatibility layer for Python C extension (cpyext):

CVE-2014-7185

Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a “buffer” function.

CVE-2020-29651

A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.

Monthly report about Debian Long Term Support, January 2025 (by Roberto C. Sánchez)

Roberto C. Sánchez — Fri, 14 Feb 2025 00:00:00 +0000

Like each month, have a look at the work funded by Freexian’s Debian LTS offering.

Debian LTS contributors

In January, 20 contributors have been paid to work on Debian LTS, their reports are available:

Abhijith PA did 8.0h (out of 14.0h assigned), thus carrying over 6.0h to the next month.
Adrian Bunk did 36.5h (out of 47.75h assigned and 52.25h from previous period), thus carrying over 63.5h to the next month.
Andrej Shadura did 11.0h (out of 11.0h assigned and 4.0h from previous period), thus carrying over 4.0h to the next month.
Arturo Borrero Gonzalez did 9.0h (out of 10.0h assigned), thus carrying over 1.0h to the next month.
Bastien Roucariès did 22.0h (out of 22.0h assigned).
Ben Hutchings did 8.0h (out of 21.0h assigned and 3.0h from previous period), thus carrying over 16.0h to the next month.
Chris Lamb did 18.0h (out of 18.0h assigned).
Daniel Leidert did 20.0h (out of 23.0h assigned and 3.0h from previous period), thus carrying over 6.0h to the next month.
Emilio Pozuelo Monfort did 34.0h (out of 7.0h assigned and 27.75h from previous period), thus carrying over 0.75h to the next month.
Guilhem Moulin did 3.25h (out of 20.0h assigned), thus carrying over 16.75h to the next month.
Jochen Sprickerhof did 23.0h (out of 15.0h assigned and 8.0h from previous period).
Lee Garrett did 15.75h (out of 8.5h assigned and 51.5h from previous period), thus carrying over 44.25h to the next month.
Lucas Kanashiro did 8.0h (out of 32.0h assigned and 32.0h from previous period), thus carrying over 56.0h to the next month.
Markus Koschany did 40.0h (out of 40.0h assigned).
Roberto C. Sánchez did 14.75h (out of 13.5h assigned and 10.5h from previous period), thus carrying over 9.25h to the next month.
Santiago Ruano Rincón did 21.75h (out of 18.75h assigned and 6.25h from previous period), thus carrying over 3.25h to the next month.
Sean Whitton did 8.5h (out of 8.5h assigned).
Sylvain Beucler did 10.5h (out of 0.0h assigned and 49.5h from previous period), thus carrying over 39.0h to the next month.
Thorsten Alteholz did 11.0h (out of 11.0h assigned).
Tobias Frost did 12.0h (out of 12.0h assigned).

Evolution of the situation

In January, we have released 33 DLAs.

There were numerous security and non-security updates to Debian 11 (codename “bullseye”) during January.

Notable security updates:
- rsync, prepared by Thorsten Alteholz, fixed several CVEs (including information leak and path traversal vulnerabilities)
- tomcat9, prepared by Markus Koschany, fixed several CVEs (including denial of service and information disclosure vulnerabilities)
- ruby2.7, prepared by Bastien Roucariès, fixed several CVEs (including denial of service vulnerabilities)
- tiff, prepared by Adrian Bunk, fixed several CVEs (including NULL ptr, buffer overflow, use-after-free, and segfault vulnerabilities)
Notable non-security updates:
- linux-6.1, prepared by Ben Hutchings, has been packaged for bullseye (this was done specifically to provide a supported upgrade path for systems that currently use kernel packages from the “bullseye-backports” suite)
- debian-security-support, prepared by Santiago Ruano Rincón, which formalized the EOL of intel-mediasdk and node-matrix-js-sdk

In addition to the security and non-security updates targeting “bullseye”, various LTS contributors have prepared uploads targeting Debian 12 (codename “bookworm”) with fixes for a variety of vulnerabilities. Abhijith PA prepared an upload of puma; Bastien Roucariès prepared an upload of node-postcss with fixes for data processing and denial of service vulnerabilities; Daniel Leidert prepared updates for setuptools, python-asyncssh, and python-tornado; Lee Garrett prepared an upload of ansible-core; and Guilhem Moulin prepared updates for python-urllib3, sqlparse, and opensc. Santiago Ruano Rincón also worked on tracking and filing some issues about packages that need an update in recent releases to avoid regressions on upgrade. This relates to CVEs that were fixed in buster or bullseye, but remain open in bookworm. These updates, along with Santiago’s work on identifying and tracking similar issues, underscore the LTS Team’s commitment to ensuring that the work we do as part of LTS also benefits the current Debian stable release.

LTS contributor Sean Whitton also prepared an upload of jinja2 and Santiago Ruano Rincón prepared an upload of openjpeg2 for Debian unstable (codename “sid”), as part of the LTS Team effort to assist with package uploads to unstable.

Thanks to our sponsors

Sponsors that joined recently are in bold.

Platinum sponsors:
- Toshiba Corporation (for 112 months)
- Civil Infrastructure Platform (CIP) (for 80 months)
- VyOS Inc (for 44 months)
Gold sponsors:
- Roche Diagnostics International AG (for 122 months)
- Akamai - Linode (for 116 months)
- Babiel GmbH (for 106 months)
- Plat’Home (for 105 months)
- University of Oxford (for 62 months)
- Deveryware (for 49 months)
- EDF SA (for 34 months)
- Dataport AöR (for 9 months)
- CERN (for 7 months)
Silver sponsors:
- Domeneshop AS (for 127 months)
- Nantes Métropole (for 121 months)
- Univention GmbH (for 113 months)
- Université Jean Monnet de St Etienne (for 113 months)
- Ribbon Communications, Inc. (for 107 months)
- Exonet B.V. (for 97 months)
- Leibniz Rechenzentrum (for 91 months)
- Ministère de l’Europe et des Affaires Étrangères (for 75 months)
- Cloudways by DigitalOcean (for 64 months)
- Dinahosting SL (for 62 months)
- Bauer Xcel Media Deutschland KG (for 56 months)
- Platform.sh SAS (for 56 months)
- Moxa Inc. (for 50 months)
- sipgate GmbH (for 48 months)
- OVH US LLC (for 46 months)
- Tilburg University (for 46 months)
- GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 37 months)
- Soliton Systems K.K. (for 34 months)
- THINline s.r.o. (for 10 months)
- Copenhagen Airports A/S (for 4 months)
Bronze sponsors:
- Evolix (for 127 months)
- Seznam.cz, a.s. (for 127 months)
- Intevation GmbH (for 124 months)
- Linuxhotel GmbH (for 124 months)
- Daevel SARL (for 123 months)
- Bitfolk LTD (for 122 months)
- Megaspace Internet Services GmbH (for 122 months)
- Greenbone AG (for 121 months)
- NUMLOG (for 121 months)
- WinGo AG (for 120 months)
- Entr’ouvert (for 111 months)
- Adfinis AG (for 109 months)
- Tesorion (for 104 months)
- GNI MEDIA (for 103 months)
- Laboratoire LEGI - UMR 5519 / CNRS (for 103 months)
- Bearstech (for 95 months)
- LiHAS (for 95 months)
- Catalyst IT Ltd (for 90 months)
- Supagro (for 85 months)
- Demarcq SAS (for 84 months)
- Université Grenoble Alpes (for 70 months)
- TouchWeb SAS (for 62 months)
- SPiN AG (for 59 months)
- CoreFiling (for 55 months)
- Institut des sciences cognitives Marc Jeannerod (for 50 months)
- Observatoire des Sciences de l’Univers de Grenoble (for 46 months)
- Tem Innovations GmbH (for 41 months)
- WordFinder.pro (for 40 months)
- CNRS DT INSU Résif (for 39 months)
- Alter Way (for 32 months)
- Institut Camille Jordan (for 22 months)
- SOBIS Software GmbH (for 7 months)

ELA-1305-2 ruby2.5 regression update (by )

Wed, 12 Feb 2025 23:49:11 +0000

Package : ruby2.5

Version : 2.5.5-3+deb10u9 (buster)

A regression was found in the REXML gem shipped with ruby2.5.

Some valid XML file were wrongly considered invalid for some namespace corner case (particularly XML file using the xml: namespace).

ELA-1321-1 dcmtk security update (by )

Wed, 12 Feb 2025 23:50:44 +0200

Package : dcmtk

Version : 3.6.1~20160216-4.1+deb9u1 (stretch), 3.6.4-2.1+deb10u2 (buster)

Related CVEs : CVE-2024-47796 CVE-2024-52333

Two cases of improper array index validation have been fixed in DCMTK, a collection of libraries and applications implementing large parts the DICOM standard for medical images.

Additionally, a regression introduced in the previous update has been fixed.

ELA-1320-1 openjdk-8 new java update (by )

Wed, 12 Feb 2025 10:51:49 +0100

Package : openjdk-8

Version : 8u442-ga-1~deb8u1 (jessie), 8u442-ga-1~deb9u1 (stretch)

This update brings OpenJDK 8u442, which comes with stability and bug fixes.

ELA-1319-1 asterisk security update (by )

Wed, 12 Feb 2025 02:13:01 +0100

Package : asterisk

Version : 1:13.14.1~dfsg-2+deb9u11 (stretch), 1:16.28.0~dfsg-0+deb10u6 (buster)

Related CVEs : CVE-2024-53566

A vulnerability was discovered in asterisk, an Open Source Private Branch Exchange.

CVE-2024-53566

It is possible to access files outside the configuration directory via AMI
and path traversal even when live_dangerously is not enabled.

Debian Contributions: Python 3.13 as the default Python 3 version, Fixing qtpaths6 for cross compilation, sbuild support for Salsa CI, Rails 7 transition, DebConf preparations and more! (by Anupa Ann Joseph)

Anupa Ann Joseph — Tue, 11 Feb 2025 00:00:00 +0000

Debian Contributions: 2025-01

Python 3.13 is now the default Python 3 version in Debian, by Stefano Rivera and Colin Watson

The Python 3.13 as default transition has now completed. The next step is to remove Python 3.12 from the archive, which should be very straightforward, it just requires rebuilding C extension packages in no particular order. Stefano fixed some miscellaneous bugs blocking the completion of the 3.13 as default transition.

Fixing `qtpaths6` for cross compilation, by Helmut Grohne

While Qt5 used to use qmake to query installation properties, Qt6 is moving more and more to CMake and to ease that transition it relies on more qtpaths. Since this tool is not naturally aware of the architecture it is called for, it tends to produce results for the build architecture. Therefore, more than 100 packages were picking up a multiarch directory for the build architecture during cross builds. In collaboration with the Qt/KDE team and Sandro Knauß in particular (none affiliated with Freexian), we added an architecture-specific wrapper script in the same way qmake has one for Qt5 and Qt6 already. The relevant CMake module has been updated to prefer the triplet-prefixed wrapper. As a result, most of the KDE packages now cross build on unstable ready in time for the trixie release.

`/usr`-move, by Helmut Grohne

In December, Emil Södergren reported that a live-build was not working for him and in January, Colin Watson reported that the proposed mitigation for debian-installer-utils would practically fail. Both failures were to be attributed to a wrong understanding of implementation-defined behavior in dpkg-divert. As a result, all M18 mitigations had to be reviewed and many of them replaced. Many have been uploaded already and all instances have received updated patches.

Even though dumat has been in operation for more than a year, it gained recent changes. For one thing, analysis of architectures other than amd64 was requested. Chris Hofstaedler (not affiliated with Freexian) kindly provided computing resources for repeatedly running it on the larger set. Doing so revealed various cross-architecture undeclared file conflicts in gcc, glibc, and binutils-z80, but it also revealed a previously unknown /usr-move issue in rpi.rpi-common. On top of that, dumat produced false positive diagnostics and wrongly associated Debian bugs in some cases, both of which have now been fixed. As a result, a supposedly fixed python3-sepolicy issue had to be reopened.

rebootstrap, by Helmut Grohne

As much as we think of our base system as stable, it is changing a lot and the architecture cross bootstrap tooling is very sensitive to such changes requiring permanent maintenance. A problem that recently surfaced was that building a binutils cross toolchain would result in a binutils-for-host package that would not be practically installable as it would depend on a binutils-common package that was not built. This turned into an examination of binutils-common and noticing that it actually differed across architectures even though it should not. Johannes Schauer Marin Rodrigues (not affiliated with Freexian) and Colin Watson kindly helped brainstorm possible solutions. Eventually, Helmut provided a patch to move gprofng bits out of binutils-common. Independently, Matthias Klose (not affiliated with Freexian) split out binutils-gold into a separate source package. As a result, binutils-common is now equal across architectures and can be marked Multi-Arch: foreign resolving the initial problem.

Salsa CI, by Santiago Ruano Rincón

Santiago continued the work about the sbuild support for Salsa CI, that was mentioned in the previous month report. The !568 merge request that created the new build image was merged, making it easier to test !569 with external projects. Santiago used a fork of the debusine repo to try the draft !569, and some issues were spotted, and part of them fixed. This is the last debusine pipeline run with the current !569: https://salsa.debian.org/santiago/debusine/-/pipelines/794233. One of the last improvements relates to how to enable projects to customize the pipeline, in an equivalent way than they currently do in the extract-source and build jobs. While this is work-in-progress, the results are rather promising. Next steps include deciding on introducing schroot support for bookworm, bookworm-security, and older releases, as they are done in the official debian buildd.

DebConf preparations, by Stefano Rivera and Santiago Ruano Rincón

DebConf will be happening in Brest, France, in July. Santiago continued the DebConf 25 organization work, looking for catering providers.

Both Stefano and Santiago have been reaching out to some potential sponsors. DebConf depends on sponsors to cover the organization cost, if your company depends on Debian, please consider sponsoring DebConf.

Stefano has been winding up some of the finances from previous DebConfs. Finalizing reimbursements to team members from DebConf 23, and handling some outstanding issues from DebConf 24. Stefano and the rest of the DebConf committee have been reviewing bids for DebConf 26, to select the next venue.

Ruby 3.3 is now the default Ruby interpreter, by Lucas Kanashiro

Ruby 3.3 is about to become the default Ruby interpreter for Trixie. Many bugs were fixed by Lucas and the Debian Ruby team during the sprint hold in Paris during Jan 27-31. The next step is to remove support of Ruby 3.1, which is the alternative Ruby interpreter for now. Thanks to the Debian Release team for all the support, especially Emilio Pozuelo Monfort.

Rails 7 transition, by Lucas Kanashiro

Rails 6 has been shipped by Debian since Bullseye, and as a WEB framework, many issues (especially security related issues) have been encountered and the maintainability of it becomes harder and harder. With that in mind, during the Debian Ruby team sprint last month, the transition to Rack 3 (an important dependency of rails containing many breaking changes) was started in Debian unstable, it is ongoing. Once it is done, the Rails 7 transition will take place, and Rails 7 should be shipped in Debian Trixie.

Miscellaneous contributions

Stefano improved a poor ImportError for users of the turtle module on Python 3, who haven’t installed the python3-tk package.
Stefano updated several packages to new upstream releases.
Stefano added the Python extension to the re2 package, allowing for the use of the Google RE2 regular expression library as a direct replacement for the standard library re module.
Stefano started provisioning a new physical server for the debian.social infrastructure.
Carles improved simplemonitor (documentation on systemd integration, worked with upstream for fixing a bug).
Carles upgraded packages to new upstream versions: python-ring-doorbell and python-asyncclick.
Carles did po-debconf translations to Catalan: reviewed 44 packages and submitted translations to 90 packages (via salsa merge requests or bugtracker bugs).
Carles maintained po-debconf-manager with small fixes.
Raphaël worked on some outstanding DEP-14 merge request and participated in the associated discussion. The discussions have been more contentious than anticipated, somewhat exacerbated by Otto’s desire to conclude fast while the required tool support is not yet there.
Raphaël, with the help of Philipp Kern from the DSA team, upgraded tracker.debian.org to use Django 4.2 (from bookworm-backports) which in turn enabled him to configure authentication via salsa.debian.org. It’s now possible to login to tracker.debian.org with your salsa credentials!
Raphaël updated zim — a nice desktop wiki that is very handy to organize your day-to-day digital life — to the latest upstream version (0.76).
Helmut sent patches for 10 cross build failures.
Helmut continued working on a tool for memory-based concurrency limit of builds.
Helmut NMUed libtool, opensysusers and virtualbox.
Enrico tried to support Helmut in working out tricky usrmerge situations
Thorsten Alteholz uploaded a new upstream version of brlaser.
Colin Watson upgraded 33 Python packages to new upstream versions, including fixes for CVE-2024-42353, CVE-2024-47532, and CVE-2025-22153.
Emilio Pozuelo managed various transitions, and fixed various RC bugs (telepathy-glib, xorg, xserver-xorg-video-vesa, apitrace, mesa).
Anupa attended the monthly team meeting for Debian publicity team and shared the social media stats.
Anupa assisted Jean-Pierre Giraud in the point release announcement for Debian 12.9 and published the Micronews.
Anupa took part in multiple Debian publicity team discussions regarding our presence in social media platforms.

ELA-1318-1 iperf3 security update (by )

Tue, 11 Feb 2025 00:36:47 +0100

Package : iperf3

Version : 3.9-1+deb8u1 (jessie), 3.9-1+deb9u1 (stretch), 3.9-1+deb10u1 (buster)

Several security vulnerabilities have been discovered in iperf3, an internet protocol bandwidth measuring tool, which may lead to a denial-of-service. When iperf3 was used as a server with RSA authentication CVE-2024-26306 allowed a timing side channel attack in RSA decryption operations sufficient for an attacker to recover credential plaintext.

ELA-1317-1 ark security update (by )

Sat, 08 Feb 2025 19:53:19 +0100

Package : ark

Version : 4:18.08.3-1+deb10u3 (buster)

Related CVEs : CVE-2024-57966

A flaw was discovered in ark, an archive utility for the KDE platform. Ark extracted archives with absolute paths to the corresponding location on the user’s file system. Absolute paths are now treated as relative paths to prevent overwriting of sensitive information.

ELA-1316-1 git-lfs security update (by )

Tue, 04 Feb 2025 13:14:07 +0100

Package : git-lfs

Version : 2.7.1-1+deb10u2 (buster)

Related CVEs : CVE-2024-53263

CVE-2024-53263

When Git LFS requests credentials from Git for a remote host, it passes portions of the host’s URL to the git-credential(1) command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user’s Git credentials.

ELA-1315-1 sssd security update (by )

Sat, 01 Feb 2025 02:39:03 +0100

Package : sssd

Version : 1.15.0-3+deb9u3 (stretch), 1.16.3-3.2+deb10u3 (buster)

CVE-2018-10852

It was discovered that when SSSD created the UNIX pipe for communication between sudo and the sssd-sudo responder, the umask() call was set to be too permissive, which resulted in the pipe being readable and writable. Then, if an attacker used the same communication protocol that sudo uses to talk to SSSD, they could obtain the list of sudo rules for any user who stores their sudo rules in a remote directory.

While the sudo responder is not started by default by SSSD itself, utilities like ipa-client-install configure the sudo responder to be started.

CVE-2018-16838

It was discovered that when the Group Policy Objects (GPO) are not readable by SSSD due to a too strict permission settings on the server side, SSSD allows all authenticated users to login instead of denying access.

A new boolean setting ad_gpo_ignore_unreadable (defaulting to False) is introduced for environments where attributes in the groupPolicyContainer are not readable and changing the permissions on the GPO objects is not possible or desirable. See sssd-ad(5).

CVE-2019-3811

It was discovered that if a user was configured with no home directory set, then sssd(8) returns / (i.e., the root directory) instead of the empty string (meaning no home directory). This could impact services that restrict the user’s filesystem access to within their home directory through chroot() or similar.

CVE-2023-3758

A race condition flaw was found in SSSD where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting access to resources inappropriately.

(sssd 1.16.3-3.2+deb10u3 only fixes CVE-2023-3758 as the previous version was already immune to the other vulnerabilities.)

ELA-1314-1 ffmpeg security update (by )

Sat, 01 Feb 2025 00:33:13 +0100

Package : ffmpeg

Version : 7:3.2.19-0+deb9u6 (stretch)

Several issues have been found in ffmpeg, a package that contains tools for transcoding, streaming and playing of multimedia files Those issues are related to possible integer overflows, double-free on errors, out-of-bounds access and an incomplete check of negative durations.

ELA-1313-1 ffmpeg security update (by )

Sat, 01 Feb 2025 00:28:05 +0100

Package : ffmpeg

Version : 7:4.1.11-0+deb10u3 (buster)

ELA-1312-1 openjdk-11 security update (by )

Fri, 31 Jan 2025 14:41:21 +0100

Package : openjdk-11

Version : 11.0.26+4-1~deb10u1 (buster)

Related CVEs : CVE-2025-21502

An issue was found in the OpenJDK Java runtime, which may result in unauthorized access.

ELA-1311-1 busybox security update (by )

Fri, 31 Jan 2025 09:25:03 +0100

Package : busybox

Version : 1:1.22.0-9+deb8u6 (jessie), 1:1.22.0-19+deb9u3 (stretch), 1:1.30.1-4+deb10u1 (buster)

Multiple vulnerabilities have been found in BusyBox, a lightweight single-executable containing various Unix utilities, which potentially allow attackers to cause denial of service, information leakage, or arbitrary code execution through malformed gzip data, crafted LZMA input or crafted awk patterns.

CVE-2018-20679 (Jessie and Stretch only)

An issue was discovered in BusyBox before 1.30.0. An out of bounds read
in udhcp components (consumed by the DHCP server, client, and relay)
allows a remote attacker to leak sensitive information from the stack by
sending a crafted DHCP message. This is related to verification in
udhcp_get_option() in networking/udhcp/common.c that 4-byte options are
indeed 4 bytes.

CVE-2021-28831 (Buster only)

decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit
on the huft_build result pointer, with a resultant invalid free or
segmentation fault, via malformed gzip data.

CVE-2021-42374

An out-of-bounds heap read in Busybox's unlzma applet leads to
information leak and denial of service when crafted LZMA-compressed
input is decompressed. This can be triggered by any applet/format that

CVE-2021-42378

A use-after-free in Busybox's awk applet leads to denial of service and
possibly code execution when processing a crafted awk pattern in the
getvar_i function

CVE-2021-42379

A use-after-free in Busybox's awk applet leads to denial of service and
possibly code execution when processing a crafted awk pattern in the
next_input_file function

CVE-2021-42380

A use-after-free in Busybox's awk applet leads to denial of service and
possibly code execution when processing a crafted awk pattern in the
clrvar function

CVE-2021-42381

A use-after-free in Busybox's awk applet leads to denial of service and
possibly code execution when processing a crafted awk pattern in the
hash_init function

CVE-2021-42382

use-after-free in Busybox's awk applet leads to denial of service and
possibly code execution when processing a crafted awk pattern in the
getvar_s function

CVE-2021-42384

A use-after-free in Busybox's awk applet leads to denial of service and
possibly code execution when processing a crafted awk pattern in the
handle_special function

CVE-2021-42385

A use-after-free in Busybox's awk applet leads to denial of service and
possibly code execution when processing a crafted awk pattern in the
evaluate function

CVE-2021-42386

A use-after-free in Busybox's awk applet leads to denial of service and
possibly code execution when processing a crafted awk pattern in the
nvalloc function

CVE-2022-48174

There is a stack overflow vulnerability in ash.c:6030 in busybox before
1.35. In the environment of Internet of Vehicles, this vulnerability can
be executed from command to arbitrary code execution.

CVE-2023-42364

A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to
cause a denial of service via a crafted awk pattern in the awk.c
evaluate function.

CVE-2023-42365

A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a
crafted awk pattern in the awk.c copyvar function.

PHP 8.4 is now available in Freexian's PHP LTS offer (by )

Fri, 31 Jan 2025 00:00:00 +0000

We are pleased to announce that PHP version 8.4 is now available as part of Freexian’s PHP LTS offer. PHP 8.4 is available for Debian (10, 11, 12) releases and Ubuntu (20.04, 22.04, 24.04) releases.

For subscribing to the service and a complete matrix of supported PHP versions and Ubuntu and Debian releases, see Freexian’s PHP LTS offer.

This service is brought to you by Freexian in cooperation with Ondřej Surý.

ELA-1310-1 libreoffice security update (by )

Thu, 30 Jan 2025 22:18:24 +0000

Package : libreoffice

Version : 1:4.3.3-2+deb8u16 (jessie)

Related CVEs : CVE-2024-12425 CVE-2024-12426

Libreoffice, an office productivity software suite, was affected by two vulnerabilities

CVE-2024-12425

An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability was found
in The Document Foundation LibreOffice and allows Absolute Path Traversal. An attacker can write to arbitrary
locations, albeit suffixed with ".ttf", by supplying a file in a format that supports embedded font files.

CVE-2024-12426

An Exposure of Environmental Variables and arbitrary INI file values to an Unauthorized Actor vulnerability
was found in The Document Foundation LibreOffice. URLs could be constructed which expanded environmental
variables or INI file values, so potentially sensitive information could be exfiltrated
to a remote server on opening a document containing such links.

ELA-1309-1 libgit2 security update (by )

Thu, 30 Jan 2025 19:44:11 +0100

Package : libgit2

Version : 0.21.1-3+deb8u2 (jessie)

Multiple vulnerabilities were discovered in libgit2.

CVE-2016-8568

The git_commit_message function in oid.c allows remote attackers to cause a denial of service (out-of-bounds read) via a cat-file command with a crafted object file.
CVE-2016-8569

The git_oid_nfmt function in commit.c allows remote attackers to cause a denial of service (NULL pointer dereference) via a cat-file command with a crafted object file.
CVE-2016-10128

Buffer overflow in the git_pkt_parse_line function in transports/smart_pkt.c in the Git Smart Protocol support in libgit2 allows remote attackers to have unspecified impact via a crafted non-flush packet.
CVE-2016-10129

The Git Smart Protocol support in libgit2 allows remote attackers to cause a denial of service (NULL pointer dereference) via an empty packet line.
CVE-2018-8099

Incorrect returning of an error code in the index.c:read_entry() function leads to a double free in libgit2, which allows an attacker to cause a denial of service via a crafted repository index file.
CVE-2018-10887

An unexpected sign extension in git_delta_apply function in delta.c file may lead to an integer overflow which in turn leads to an out of bound read, allowing to read before the base object. An attacker may use this flaw to leak memory addresses or cause a Denial of Service.
CVE-2018-10888

A missing check in git_delta_apply function in delta.c file, may lead to an out-of-bound read while reading a binary delta file. An attacker may use this flaw to cause a Denial of Service.
CVE-2020-12278

path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository.
CVE-2020-12279

checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository
CVE-2024-24577

Using crafted inputs to the git_index_add function could cause heap corruption, and this had the potential to permit arbitrary code execution.

ELA-1308-1 activemq security update (by )

Thu, 30 Jan 2025 10:00:45 +0100

Package : activemq

Version : 5.6.0+dfsg1-4+deb8u4 (jessie)

Multiple security issues were discovered in Apache ActiveMQ, a multi-protocol message broker.

CVE-2018-11775

TLS hostname verification was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.
CVE-2020-13920

Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the “jmxrmi” entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects.
CVE-2021-26117

The optional LDAP login module can be configured to use anonymous access to the LDAP server. In this case, the anonymous context is used to verify a valid users password in error, resulting in no check on the password.
CVE-2023-46604

The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath.

ELA-1307-1 git security update (by )

Tue, 28 Jan 2025 16:46:04 +0000

Package : git

Version : 1:2.1.4-2.1+deb8u15 (jessie), 1:2.11.0-3+deb9u12 (stretch), 1:2.20.1-2+deb10u10 (buster)

Related CVEs : CVE-2024-50349 CVE-2024-52006

Multiple vulnerabilities were discovered in git, a fast, scalable and distributed revision control system.

CVE-2024-50349

When Git asks for credentials via a terminal prompt (i.e. without using any credential helper), it prints out the host name for which the user is expected to provide a username and/or a password. At this stage, any URL-encoded parts have been decoded already, and are printed verbatim. This could allow attackers to craft URLs that contain ANSI escape sequences that the terminal interpret to confuse users e.g. into providing passwords for trusted Git hosting sites when in fact they are then sent to untrusted sites that are under the attacker’s control.

CVE-2024-52006

Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way.

ELA-1306-1 python-django security update (by )

Tue, 28 Jan 2025 11:17:55 +0000

Package : python-django

Version : 1.7.11-1+deb8u18 (jessie), 1:1.10.7-2+deb9u24 (stretch), 1:1.11.29-1+deb10u13 (buster)

Related CVEs : CVE-2024-53907 CVE-2024-56374

Two vulnerabilities were discovered in Django, a Python-based web development framework:

CVE-2024-53907: Prevent a potential Denial of Service (DoS) attack. The strip_tags method and striptags template filter were subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.
CVE-2024-56374: Prevent another potential Denial of Service (DoS) attack. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could have led to a potential denial-of-service attack. The clean_ipv6_address and is_valid_ipv6_address functions were vulnerable as was the GenericIPAddressField form field. The GenericIPAddressField model field was not affected.

ELA-1305-1 ruby2.5 security update (by )

Sun, 26 Jan 2025 22:38:31 +0000

Package : ruby2.5

Version : 2.5.5-3+deb10u8 (buster)

Multiple vulnerabilities were found in ruby a popular programming language.

CVE-2024-35176

The REXML gem has a Denial of Service (DoS) vulnerability
when it parses an XML that has many <s in
an attribute value. Those who need to parse
untrusted XMLs may be impacted to this vulnerability.

CVE-2024-39908

The REXML gem has some Denial of Service (DoS) vulnerabilities
when it parses an XML that has many specific characters such
as <, 0 and %>. If you need to parse untrusted XMLs,
you many be impacted to these vulnerabilities.

CVE-2024-41123

The REXML gem has some Denial of Service (DoS) vulnerabilities
when it parses an XML that has many specific characters
such as whitespace character, >] and ]>.
If you need to parse untrusted XMLs, you may be impacted
to these vulnerabilities.

CVE-2024-41946

The REXML gem had a Denial of Service (DoS) vulnerability
when it parses an XML that has many entity expansions
with SAX2 or pull parser API.

CVE-2024-43398

REXML is an XML toolkit for Ruby.
The REXML gem before 3.3.6 has a Denial of Service (DoS)
vulnerability when it parses an XML that has many deep
elements that have same local name attributes.
If you need to parse untrusted XMLs with tree parser
API like REXML::Document.new, you may be impacted
to this vulnerability. If you use other parser APIs
such as stream parser API and SAX2 parser API,
you are not impacted.

CVE-2024-49761

REXML is an XML toolkit for Ruby.
The REXML gem before 3.3.9 has a ReDoS vulnerability
when it parses an XML that has many digits between
&# and x...; in a hex numeric character reference (&#x...;)

ELA-1304-1 postgresql-9.4 security update (by )

Sat, 25 Jan 2025 12:25:39 -0500

Package : postgresql-9.4

Version : 9.4.26-0+deb8u11 (jessie)

Multiple security issues were discovered in PostgreSQL, which may result in the execution of arbitrary code, privilege escalation, log manipulation, or denial of service.

CVE-2023-5870

A flaw was found in PostgreSQL involving the pg_cancel_backend role that
signals background workers, including the logical replication launcher,
autovacuum workers, and the autovacuum launcher. Successful exploitation
requires a non-core extension with a less-resilient background worker
and would affect that specific background worker only.

CVE-2024-10977

Client use of server error message in PostgreSQL allows a server not
trusted under current SSL or GSS settings to furnish arbitrary non-NUL
bytes to the libpq application. For example, a man-in-the-middle attacker
could send a long error message that a human or screen-scraper user of
psql mistakes for valid query results.

CVE-2024-10978

Incorrect privilege assignment in PostgreSQL allows a less-privileged
application user to view or change different rows from those intended. An
attack requires the application to use SET ROLE, SET SESSION
AUTHORIZATION, or an equivalent feature.

CVE-2024-10979

Incorrect control of environment variables in PostgreSQL PL/Perl allows
an unprivileged database user to change sensitive process environment
variables (e.g. PATH).

ELA-1303-1 postgresql-9.6 security update (by )

Sat, 25 Jan 2025 12:25:29 -0500

Package : postgresql-9.6

Version : 9.6.24-0+deb9u8 (stretch)

Multiple security issues were discovered in PostgreSQL, which may result in the execution of arbitrary code, privilege escalation, or log manipulation.

CVE-2024-10976

Incomplete tracking in PostgreSQL of tables with row security allows a
reused query to view or change different rows from those intended. It
leads to potentially incorrect policies being applied in cases where
role-specific policies are used and a given query is planned under one
role and then executed under other roles.

CVE-2024-10977

Client use of server error message in PostgreSQL allows a server not
trusted under current SSL or GSS settings to furnish arbitrary non-NUL
bytes to the libpq application. For example, a man-in-the-middle attacker
could send a long error message that a human or screen-scraper user of
psql mistakes for valid query results.

CVE-2024-10978

Incorrect privilege assignment in PostgreSQL allows a less-privileged
application user to view or change different rows from those intended. An
attack requires the application to use SET ROLE, SET SESSION
AUTHORIZATION, or an equivalent feature.

CVE-2024-10979

Incorrect control of environment variables in PostgreSQL PL/Perl allows
an unprivileged database user to change sensitive process environment
variables (e.g. PATH).

ELA-1302-1 postgresql-11 security update (by )

Sat, 25 Jan 2025 12:25:21 -0500

Package : postgresql-11

Version : 11.22-0+deb10u4 (buster)

Multiple security issues were discovered in PostgreSQL, which may result in the execution of arbitrary code, privilege escalation, or log manipulation.

CVE-2024-10976

Incomplete tracking in PostgreSQL of tables with row security allows a
reused query to view or change different rows from those intended. It
leads to potentially incorrect policies being applied in cases where
role-specific policies are used and a given query is planned under one
role and then executed under other roles.

CVE-2024-10977

Client use of server error message in PostgreSQL allows a server not
trusted under current SSL or GSS settings to furnish arbitrary non-NUL
bytes to the libpq application. For example, a man-in-the-middle attacker
could send a long error message that a human or screen-scraper user of
psql mistakes for valid query results.

CVE-2024-10978

Incorrect privilege assignment in PostgreSQL allows a less-privileged
application user to view or change different rows from those intended. An
attack requires the application to use SET ROLE, SET SESSION
AUTHORIZATION, or an equivalent feature.

CVE-2024-10979

Incorrect control of environment variables in PostgreSQL PL/Perl allows
an unprivileged database user to change sensitive process environment
variables (e.g. PATH).

ELA-1301-1 rails security update (by )

Fri, 24 Jan 2025 13:32:31 -0300

Package : rails

Version : 2:4.2.7.1-1+deb9u6 (stretch)

Multiple vunerabilities were discovered in rails, the Ruby based server-side MVC web application framework, which could result in XSS, data disclosure and open redirect.

CVE-2022-27777

A XSS Vulnerability in Action View tag helpers which would allow an attacker to inject content if able to control input into specific attributes.

CVE-2023-22792

A regular expression based DoS vulnerability in Action Dispatch. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.

CVE-2023-22795

A regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.

CVE-2023-22796

A regular expression based DoS vulnerability in Active Support. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.

CVE-2023-28120

A vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.

ELA-1300-1 frr security update (by )

Thu, 23 Jan 2025 12:29:54 +0100

Package : frr

Version : 7.5.1-1.1+deb10u4 (buster)

Related CVEs : CVE-2024-55553

In FRR, all routes are re-validated if the total size of an update received via RTR exceeds the internal socket’s buffer size, default 4K on most OSes. An attacker can use this to trigger re-parsing of the RIB for FRR routers using RTR by causing more than this number of updates during an update interval (usually 30 minutes). Additionally, this effect regularly occurs organically. Furthermore, an attacker can use this to trigger route validation continuously. Given that routers with large full tables may need more than 30 minutes to fully re-validate the table, continuous issuance/withdrawal of large numbers of ROA may be used to impact the route handling performance of all FRR instances using RPKI globally. Additionally, the re-validation will cause heightened BMP traffic to ingestors.

ELA-1299-1 libreoffice security update (by )

Tue, 21 Jan 2025 15:47:20 +0000

Package : libreoffice

Version : 1:6.1.5-3+deb9u6 (stretch), 1:6.1.5-3+deb10u15 (buster)

Related CVEs : CVE-2024-12425 CVE-2024-12426

Libreoffice, an office productivity software suite, was affected by two vulnerabilities

CVE-2024-12425

An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability was found
in The Document Foundation LibreOffice and allows Absolute Path Traversal. An attacker can write to arbitrary
locations, albeit suffixed with ".ttf", by supplying a file in a format that supports embedded font files.

CVE-2024-12426

An Exposure of Environmental Variables and arbitrary INI file values to an Unauthorized Actor vulnerability
was found in The Document Foundation LibreOffice. URLs could be constructed which expanded environmental
variables or INI file values, so potentially sensitive information could be exfiltrated
to a remote server on opening a document containing such links.

ELA-1298-1 tiff security update (by )

Mon, 20 Jan 2025 17:24:16 +0200

Package : tiff

Version : 4.0.3-12.3+deb8u18 (jessie), 4.0.8-2+deb9u13 (stretch), 4.1.0+git191117-2~deb10u10 (buster)

Related CVEs : CVE-2024-7006

NULL pointer dereference in TIFFReadDirectory()/TIFFReadCustomDirectory() has been fixed in tiff, a library and tools providing support for the Tag Image File Format (TIFF).

Additionally, issues with the earlier fixes for CVE-2023-52356 and CVE-2023-25433 have been resolved.

ELA-1297-1 redis security update (by )

Mon, 20 Jan 2025 17:02:28 +0200

Package : redis

Version : 2:2.8.17-1+deb8u14 (jessie), 3:3.2.6-3+deb9u14 (stretch), 5:5.0.14-1+deb10u7 (buster)

Related CVEs : CVE-2024-46981

Possible code execution with Lua scripting due to a missing call to the garbage collector has been fixed in the key–value database Redis.

ELA-1296-1 libtar security update (by )

Mon, 20 Jan 2025 16:21:53 +0200

Package : libtar

Version : 1.2.20-7+deb10u1 (buster)

Multiple vulnerabilities have been fixed in libtar, a library for manipulating tar archives.

CVE-2021-33643

out-of-bounds read in gnu_longlink()

CVE-2021-33644

out-of-bounds read in gnu_longname()

CVE-2021-33645

memory leak in th_read()

CVE-2021-33646 memory leak in th_read()

ELA-1295-1 hplip security update (by )

Mon, 20 Jan 2025 15:56:11 +0200

Package : hplip

Version : 3.16.11+repack0-3+deb9u1 (stretch), 3.18.12+dfsg0-2+deb10u1 (buster)

Related CVEs : CVE-2020-6923

MDNS buffer issues have been fixed in HPLIP, the HP Linux Imaging and Printing system.

ELA-1290-2 rsync regression update (by )

Sun, 19 Jan 2025 19:32:48 +0100

Package : rsync

Version : 3.1.1-3+deb8u4 (jessie), 3.1.2-1+deb9u5 (stretch), 3.1.3-6+deb10u2 (buster)

The update for rsync announced in ELA 1290-1 introduced a regression when using the -H option to preserve hard links. Updated packages are now available to correct this issue.

ELA-1294-1 ucf security update (by )

Thu, 16 Jan 2025 17:03:34 +0000

Package : ucf

Version : 3.0030+deb8u1 (jessie), 3.0036+deb9u1 (stretch), 3.0038+nmu1+deb10u1 (buster)

A potential command-injection vulnerability was discovered in ucf, a tool to preserve user changes to config files.

ELA-1293-1 tomcat9 security update (by )

Wed, 15 Jan 2025 22:28:53 +0100

Package : tomcat9

Version : 9.0.31-1~deb10u13 (buster)

Several problems have been addressed in Tomcat 9, a Java based web server, servlet and JSP engine.

CVE-2024-21733

Generation of Error Message Containing Sensitive Information vulnerability
in Apache Tomcat.

CVE-2024-38286

Apache Tomcat, under certain configurations, allows an attacker to cause an
OutOfMemoryError by abusing the TLS handshake process.

CVE-2024-52316

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is
configured to use a custom Jakarta Authentication (formerly JASPIC)
ServerAuthContext component which may throw an exception during the
authentication process without explicitly setting an HTTP status to
indicate failure, the authentication may not fail, allowing the user to
bypass the authentication process. There are no known Jakarta
Authentication components that behave in this way.

CVE-2024-50379 / CVE-2024-56337

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP
compilation in Apache Tomcat permits an RCE on case insensitive file
systems when the default servlet is enabled for write (non-default
configuration).
Some users may need additional configuration to fully mitigate
CVE-2024-50379 depending on which version of Java they are using with
Tomcat. For Debian 10 "buster" the system property
sun.io.useCanonCaches must be explicitly set to false (it defaults to
true). Most Debian users will not be affected because Debian uses case
sensitive file systems by default.

ELA-1292-1 tomcat8 security update (by )

Wed, 15 Jan 2025 16:20:19 +0100

Package : tomcat8

Version : 8.5.54-0+deb9u17 (stretch)

Several problems have been addressed in Tomcat 8, a Java based web server, servlet and JSP engine, which may have led to an OutOfMemoryError or the revelation of sensitive information.

CVE-2024-21733

Generation of Error Message Containing Sensitive Information vulnerability
in Apache Tomcat.

CVE-2024-38286

Apache Tomcat, under certain configurations, allows an attacker to cause an
OutOfMemoryError by abusing the TLS handshake process.

CVE-2024-52316

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is
configured to use a custom Jakarta Authentication (formerly JASPIC)
ServerAuthContext component which may throw an exception during the
authentication process without explicitly setting an HTTP status to
indicate failure, the authentication may not fail, allowing the user to
bypass the authentication process. There are no known Jakarta
Authentication components that behave in this way.

ELA-1291-1 tomcat7 security update (by )

Wed, 15 Jan 2025 00:31:00 +0100

Package : tomcat7

Version : 7.0.56-3+really7.0.109-1+deb8u7 (jessie)

Related CVEs : CVE-2024-23672

A denial-of-service vulnerability was found in Tomcat 7, a Java based web server, servlet and JSP engine. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.

ELA-1290-1 rsync security update (by )

Tue, 14 Jan 2025 19:51:14 +0100

Package : rsync

Version : 3.1.1-3+deb8u3 (jessie), 3.1.2-1+deb9u4 (stretch), 3.1.3-6+deb10u1 (buster)

Several vulnerabilities were discovered in rsync, a fast, versatile, remote (and local) file-copying tool.

CVE-2024-12085

Simon Scannell, Pedro Gallegos and Jasiel Spelman reported a flaw in
the way rsync compares file checksums, allowing a remote attacker to
trigger an information leak.

CVE-2024-12086

Simon Scannell, Pedro Gallegos and Jasiel Spelman discovered a flaw
which would result in a server leaking contents of an arbitrary file
from the client's machine.

CVE-2024-12087

Simon Scannell, Pedro Gallegos and Jasiel Spelman reported a path
traversal vulnerability in the rsync daemon affecting the
--inc-recursive option, which could allow a server to write files
outside of the client's intended destination directory.

CVE-2024-12088

Simon Scannell, Pedro Gallegos and Jasiel Spelman reported that when
using the --safe-links option, rsync fails to properly verify if a
symbolic link destination contains another symbolic link with it,
resulting in path traversal and arbitrary file write outside of the
desired directory.

CVE-2024-12747

Aleksei Gorban "loqpa" discovered a race condition when handling
symbolic links resulting in an information leak which may enable
escalation of privileges.

ELA-1289-1 python-reportlab security update (by )

Tue, 14 Jan 2025 17:33:40 +0100

Package : python-reportlab

Version : 3.1.8-3+deb8u3 (jessie)

Related CVEs : CVE-2019-19450 CVE-2020-28463

CVE-2019-19450

Ravi Prakash Giri discovered a remote code execution vulnerability via crafted XML document where <unichar code=" is followed by arbitrary Python code.

This issue is similar to CVE-2019-17626.

CVE-2020-28463

Karan Bamal discovered a Server-side Request Forgery (SSRF) vulnerability via <img> tags. New settings trustedSchemes and trustedHosts have been added as part of the fix/mitigation: they can be used to specify an explicit allowlist for remote sources.

ELA-1288-1 linux-6.1 security update (by )

Tue, 14 Jan 2025 14:02:17 +0100

Package : linux-6.1

Version : 6.1.119-1~deb9u1 (stretch), 6.1.119-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to privilege escalation, denial of service or information leaks.

Monthly report about Debian Long Term Support, December 2024 (by Roberto C. Sánchez)

Roberto C. Sánchez — Mon, 13 Jan 2025 00:00:00 +0000

Like each month, have a look at the work funded by Freexian’s Debian LTS offering.

Debian LTS contributors

In December, 19 contributors have been paid to work on Debian LTS, their reports are available:

Abhijith PA did 14.0h (out of 14.0h assigned).
Adrian Bunk did 47.75h (out of 53.0h assigned and 47.0h from previous period), thus carrying over 52.25h to the next month.
Andrej Shadura did 6.0h (out of 17.0h assigned and -7.0h from previous period after hours given back), thus carrying over 4.0h to the next month.
Bastien Roucariès did 22.0h (out of 22.0h assigned).
Ben Hutchings did 15.0h (out of 0.0h assigned and 18.0h from previous period), thus carrying over 3.0h to the next month.
Chris Lamb did 18.0h (out of 18.0h assigned).
Daniel Leidert did 23.0h (out of 17.0h assigned and 9.0h from previous period), thus carrying over 3.0h to the next month.
Emilio Pozuelo Monfort did 32.25h (out of 40.5h assigned and 19.5h from previous period), thus carrying over 27.75h to the next month.
Guilhem Moulin did 22.5h (out of 9.75h assigned and 12.75h from previous period).
Jochen Sprickerhof did 2.0h (out of 3.5h assigned and 6.5h from previous period), thus carrying over 8.0h to the next month.
Lee Garrett did 8.5h (out of 14.75h assigned and 45.25h from previous period), thus carrying over 51.5h to the next month.
Lucas Kanashiro did 32.0h (out of 10.0h assigned and 54.0h from previous period), thus carrying over 32.0h to the next month.
Markus Koschany did 40.0h (out of 20.0h assigned and 20.0h from previous period).
Roberto C. Sánchez did 13.5h (out of 6.75h assigned and 17.25h from previous period), thus carrying over 10.5h to the next month.
Santiago Ruano Rincón did 18.75h (out of 24.75h assigned and 0.25h from previous period), thus carrying over 6.25h to the next month.
Sean Whitton did 6.0h (out of 2.0h assigned and 4.0h from previous period).
Sylvain Beucler did 10.5h (out of 21.5h assigned and 38.5h from previous period), thus carrying over 49.5h to the next month.
Thorsten Alteholz did 11.0h (out of 11.0h assigned).
Tobias Frost did 12.0h (out of 12.0h assigned).

Evolution of the situation

In December, we have released 29 DLAs.

The LTS Team has published updates to several notable packages. Contributor Guilhem Moulin published an update of php7.4, a widely-used open source general purpose scripting language, which addressed denial of service, authorization bypass, and information disclosure vulnerabilities. Contributor Lucas Kanashiro published an update of clamav, an antivirus toolkit for Unix and Linux, which addressed denial of service and authorization bypass vulnerabilities. Finally, contributor Tobias Frost published an update of intel-microcode, the microcode for Intel microprocessors, which well help to ensure that processor hardware is protected against several local privilege escalation and local denial of service vulnerabilities.

Beyond our customary LTS package updates, the LTS Team has made contributions to Debian’s stable bookworm release and its experimental section. Notably, contributor Lee Garrett published a stable update of dnsmasq. The LTS update was previously published in November and in December Lee continued working to bring the same fixes (addressing the high profile KeyTrap and NSEC3 vulnerabilities) to the dnsmasq package in Debian bookworm. This package was accepted for inclusion in the Debian 12.9 point release scheduled for January 2025. Addititionally, contributor Sean Whitton provided assistance, via upload sponsorships, to the Debian maintainers of xen. This assistance resulted in two uploads of xen into Debian’s experimental section, which will contribute to the next Debian stable release having a version of xen with better longterm support from the upstream development team.

Thanks to our sponsors

Sponsors that joined recently are in bold.

Platinum sponsors:
- Toshiba Corporation (for 111 months)
- Civil Infrastructure Platform (CIP) (for 79 months)
- VyOS Inc (for 43 months)
Gold sponsors:
- Roche Diagnostics International AG (for 121 months)
- Akamai - Linode (for 115 months)
- Babiel GmbH (for 105 months)
- Plat’Home (for 104 months)
- University of Oxford (for 61 months)
- Deveryware (for 48 months)
- EDF SA (for 33 months)
- Dataport AöR (for 8 months)
- CERN (for 6 months)
Silver sponsors:
- Domeneshop AS (for 126 months)
- Nantes Métropole (for 120 months)
- Univention GmbH (for 112 months)
- Université Jean Monnet de St Etienne (for 112 months)
- Ribbon Communications, Inc. (for 106 months)
- Exonet B.V. (for 96 months)
- Leibniz Rechenzentrum (for 90 months)
- Ministère de l’Europe et des Affaires Étrangères (for 74 months)
- Cloudways by DigitalOcean (for 63 months)
- Dinahosting SL (for 61 months)
- Bauer Xcel Media Deutschland KG (for 55 months)
- Platform.sh SAS (for 55 months)
- Moxa Inc. (for 49 months)
- sipgate GmbH (for 47 months)
- OVH US LLC (for 45 months)
- Tilburg University (for 45 months)
- GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 36 months)
- Soliton Systems K.K. (for 33 months)
- THINline s.r.o. (for 9 months)
- Copenhagen Airports A/S (for 3 months)
Bronze sponsors:
- Evolix (for 126 months)
- Seznam.cz, a.s. (for 126 months)
- Intevation GmbH (for 123 months)
- Linuxhotel GmbH (for 123 months)
- Daevel SARL (for 122 months)
- Bitfolk LTD (for 121 months)
- Megaspace Internet Services GmbH (for 121 months)
- Greenbone AG (for 120 months)
- NUMLOG (for 120 months)
- WinGo AG (for 119 months)
- Entr’ouvert (for 111 months)
- Adfinis AG (for 108 months)
- Laboratoire LEGI - UMR 5519 / CNRS (for 103 months)
- Tesorion (for 103 months)
- GNI MEDIA (for 102 months)
- Bearstech (for 94 months)
- LiHAS (for 94 months)
- Catalyst IT Ltd (for 89 months)
- Supagro (for 84 months)
- Demarcq SAS (for 83 months)
- Université Grenoble Alpes (for 69 months)
- TouchWeb SAS (for 61 months)
- SPiN AG (for 58 months)
- CoreFiling (for 54 months)
- Institut des sciences cognitives Marc Jeannerod (for 49 months)
- Observatoire des Sciences de l’Univers de Grenoble (for 45 months)
- Tem Innovations GmbH (for 40 months)
- WordFinder.pro (for 39 months)
- CNRS DT INSU Résif (for 38 months)
- Alter Way (for 31 months)
- Institut Camille Jordan (for 21 months)
- SOBIS Software GmbH (for 6 months)

ELA-1287-1 python-tornado security update (by )

Sat, 11 Jan 2025 17:20:45 +0100

Package : python-tornado

Version : 4.4.3-1+deb9u1 (stretch), 5.1.1-4+deb10u1 (buster)

Related CVEs : CVE-2023-28370 CVE-2024-52804

Multiple vulnerabilities were discovered in python-tornado, a scalable, non-blocking Python web framework and asynchronous networking library.

CVE-2023-28370

An open redirect vulnerability in Tornado versions 6.3.1 and earlier allows
a remote unauthenticated attacker to redirect a user to an arbitrary web
site and conduct a phishing attack by having the user access a specially
crafted URL.

CVE-2024-52804

The algorithm used for parsing HTTP cookies in Tornado versions prior to
6.4.2 sometimes has quadratic complexity, leading to excessive CPU
consumption when parsing maliciously-crafted cookie headers. This
parsing occurs in the event loop thread and may block the processing of
other requests.

Debian Contributions: Tracker.debian.org updates, Salsa CI improvements, Coinstallable build-essential, Python 3.13 transition, Ruby 3.3 transition and more! (by Anupa Ann Joseph, Stefano Rivera)

Anupa Ann Joseph, Stefano Rivera — Thu, 09 Jan 2025 00:00:00 +0000

Debian Contributions: 2024-12

Tracker.debian.org updates, by Raphaël Hertzog

Profiting from end-of-year vacations, Raphaël prepared for tracker.debian.org to be upgraded to Debian 12 bookworm by getting rid of the remnants of python3-django-jsonfield in the code (it was superseded by a Django-native field). Thanks to Philipp Kern from the Debian System Administrators team, the upgrade happened on December 23rd.

Raphaël also improved distro-tracker to better deal with invalid Maintainer fields which recently caused multiples issues in the regular data updates (#1089985, MR 105). While working on this, he filed #1089648 asking dpkg tools to error out early when maintainers make such mistakes.

Finally he provided feedback to multiple issues and merge requests (MR 106, issues #21, #76, #77), there seems to be a surge of interest in distro-tracker lately. It would be nice if those new contributors could stick around and help out with the significant backlog of issues (in the Debian BTS, in Salsa).

Salsa CI improvements, by Santiago Ruano Rincón

Given that the Debian buildd network now relies on sbuild using the unshare backend, and that Salsa CI’s reproducibility testing needs to be reworked (#399), Santiago resumed the work for moving the build job to use sbuild. There was some related work a few months ago that was focused on sbuild with the schroot and the sudo backends, but those attempts were stalled for different reasons, including discussions around the convenience of the move (#296). However, using sbuild and unshare avoids all of the drawbacks that have been identified so far. Santiago is preparing two merge requests: !568 to introduce a new build image, and !569 that moves all the extract-source related tasks to the build job. As mentioned in the previous reports, this change will make it possible for more projects to use the pipeline to build the packages (See #195). Additional advantages of this change include a more optimal way to test if a package builds twice in a row: instead of actually building it twice, the Salsa CI pipeline will configure sbuild to check if the clean target of debian/rules correctly restores the source tree, saving some CPU cycles by avoiding one build. Also, the images related to Ubuntu won’t be needed anymore, since the build job will create chroots for different distributions and vendors from a single common build image. This will save space in the container registry. More changes are to come, especially those related to handling projects that customize the pipeline and make use of the extract-source job.

Coinstallable `build-essential`, by Helmut Grohne

Building on the gcc-for-host work of last December, a notable patch turning build-essential Multi-Arch: same became feasible. Whilst the change is small, its implications and foundations are not. We still install crossbuild-essential-$ARCH for cross building and due to a britney2 limitation, we cannot have it depend on the host’s C library. As a result, there are workarounds in place for sbuild and pbuilder. In turning build-essential Multi-Arch: same, we may actually express these dependencies directly as we install build-essential:$ARCH instead. The crossbuild-essential-$ARCH packages will continue to be available as transitional dummy packages.

Python 3.13 transition, by Colin Watson and Stefano Rivera

Building on last month’s work, Colin, Stefano, and other members of the Debian Python team fixed 3.13 compatibility bugs in many more packages, allowing 3.13 to now be a supported but non-default version in testing. The next stage will be to switch to it as the default version, which will start soon. Stefano did some test-rebuilds of packages that only build for the default Python 3 version, to find issues that will block the transition. The default version transition typically shakes out some more issues in applications that (unlike libraries) only test with the default Python version.

Colin also fixed Sphinx 8.0 compatibility issues in many packages, which otherwise threatened to get in the way of this transition.

Ruby 3.3 transition, by Lucas Kanashiro

The Debian Ruby team decided to ship Ruby 3.3 in the next Debian release, and Lucas took the lead of the interpreter transition with the assistance of the rest of the team. In order to understand the impact of the new interpreter in the ruby ecosystem, ruby-defaults was uploaded to experimental adding ruby3.3 as an alternative interpreter, and a mass rebuild of reverse dependencies was done here. Initially, a couple of hundred packages were failing to build, after many rounds of rebuilds, adjustments, and many uploads we are down to 30 package build failures, of those, 21 packages were asked to be removed from testing and for the other 9, bugs were filled. All the information to track this transition can be found here. Now, we are waiting for PHP 8.4 to finish to avoid any collision. Once it is done the Ruby 3.3 transition will start in unstable.

Miscellaneous contributions

Enrico Zini redesigned the way nm.debian.org stores historical audit logs and personal data backups.
Carles Pina submitted a new package (python-firebase-messaging) and prepared updates for python3-ring-doorbell.
Carles Pina developed further po-debconf-manager: better state transition, fixed bugs, automated assigning translators and reviewers on edit, updating po header files automatically, fixed bugs, etc.
Carles Pina reviewed, submitted and followed up the debconf templates translation (more than 20 packages) and translated some packages (about 5).
Santiago continued to work on DebConf 25 organization related tasks, including handling the logo survey and results. Stefano spent time on DebConf 25 too.
Santiago continued the exploratory work about linux livepatching with Emmanuel Arias. Santiago and Emmanuel found a challenge since kpatch won’t fully support linux in trixie and newer, so they are exploring alternatives such as klp-build.
Helmut maintained the /usr-move transition filing bugs in e.g. bubblewrap, e2fsprogs, libvpd-2.2-3, and pam-tmpdir and corresponding on related issues such as kexec-tools and live-build. The removal of the usrmerge package unfortunately broke debootstrap and was quickly reverted. Continued fallout is expected and will continue until trixie is released.
Helmut sent patches for 10 cross build failures and worked with Sandro Knauß on stuck Qt/KDE patches related to cross building.
Helmut continued to maintain rebootstrap removing the need to build gnu-efi in the process.
Helmut collaborated with Emanuele Rocca and Jochen Sprickerhof on an interesting adventure in diagnosing why gcc would FTBFS in recent sbuild.
Helmut proposed supporting build concurrency limits in coreutils’s nproc. As it turns out nproc is not a good place for this functionality.
Colin worked with Sandro Tosi and Andrej Shadura to finish resolving the multipart vs. python-multipart name conflict, as mentioned last month.
Colin upgraded 48 Python packages to new upstream versions, fixing four CVEs and a number of compatibility bugs with recent Python versions.
Colin issued an openssh bookworm update with a number of fixes that had accumulated over the last year, especially fixing GSS-API key exchange which had been quite broken in bookworm.
Stefano fixed a minor bug in debian-reimbursements that was disallowing combination PDFs containing JAL tickets, encoded in UTF-16.
Stefano uploaded a stable update to PyPy3 in bookworm, catching up with security issues resolved in cPython.
Stefano fixed a regression in the eventlet from his Python 3.13 porting patch.
Stefano continued discussing a forwarded patch (renaming the sysconfigdata module) with cPython upstream, ending in a decision to drop the patch from Debian. This will need some continued work.
Anupa participated in the Debian Publicity team meeting in December, which discussed the team activities done in 2024 and projects for 2025.

ELA-1286-1 sympa security update (by )

Mon, 06 Jan 2025 11:15:21 +0100

Package : sympa

Version : 6.2.40~dfsg-1+deb10u2 (buster)

Related CVEs : CVE-2024-55919

A flaw was found in Sympa’s web interface, a modern mailing list manager. An attacker may bypass authentication by using an arbitrary e-mail address when the generic SSO loging feature was enabled.

ELA-1285-1 ca-certificates-java bugfix update (by )

Fri, 03 Jan 2025 12:27:48 +0000

Package : ca-certificates-java

Version : 20190405+deb10u1 (buster)

ca-certificate-java, a package that update the cacerts keystore (a collection of trusted certificate authority certificates) used for many java runtimes, failed to install.

ELA-1284-1 fastnetmon security update (by )

Mon, 30 Dec 2024 13:25:47 +0100

Package : fastnetmon

Version : 1.1.3+dfsg-8.1+deb10u1 (buster)

Related CVEs : CVE-2024-56073

A potential security issue has been discovered in FastNetMon, a fast DDoS analyzer: Malformed Netflow traffic could result in denial of service.

ELA-1283-1 gst-plugins-base0.10 security update (by )

Sun, 29 Dec 2024 11:08:47 +0000

Package : gst-plugins-base0.10

Version : 0.10.36-2+deb8u5 (jessie)

gstreamer a multimedia framework was affected by multiple vulnerabilities.

CVE-2024-47541

An Out of Bound write vulnerability has been
identified in the gst_ssa_parse_remove_override_codes
function of the gstssaparse.c file.

CVE-2024-47542

A null pointer dereference has been
discovered in the id3v2_read_synch_uint function, located
in id3v2.c

CVE-2024-47615

An Out Of Bound Write has been detected
in the function gst_parse_vorbis_setup_packet within
vorbis_parse.c.

ELA-1282-1 gst-plugins-base1.0 security update (by )

Sat, 28 Dec 2024 21:19:33 +0000

Package : gst-plugins-base1.0

Version : 1.4.4-2+deb8u6 (jessie), 1.10.4-1+deb9u5 (stretch), 1.14.4-2+deb10u4 (buster)

gstreamer a multimedia framework was affected by multiple vulnerabilities.

CVE-2024-47538

A stack-buffer overflow has been detected
in the `vorbis_handle_identification_packet`
function within `gstvorbisdec.c`

CVE-2024-47541

An Out of Bound write vulnerability has been
identified in the gst_ssa_parse_remove_override_codes
function of the gstssaparse.c file.

CVE-2024-47542

A null pointer dereference has been
discovered in the id3v2_read_synch_uint function, located
in id3v2.c

CVE-2024-47600

An Out of Bound read vulnerability has been
detected in the format_channel_mask function in
gst-discoverer.c

CVE-2024-47607

A stack-buffer overflow has been
detected in the gst_opus_dec_parse_header function
within `gstopusdec.c'.

CVE-2024-47615

An Out Of Bound Write has been detected
in the function gst_parse_vorbis_setup_packet within
vorbis_parse.c.

CVE-2024-47835

A null pointer dereference vulnerability
has been detected in the parse_lrc function within
gstsubparse.c

ELA-1281-1 gstreamer1.0 security update (by )

Fri, 27 Dec 2024 10:29:36 +0000

Package : gstreamer1.0

Version : 1.4.4-2+deb8u2 (jessie), 1.10.4-1+deb9u1 (stretch), 1.14.4-1+deb10u1 (buster)

Related CVEs : CVE-2024-47606

gstreamer a multimedia framework was affected by a vulnerability.

The vulnerability occurs due to an underflow of the gint size variable, which causes size to hold a large unintended value when cast to an unsigned integer. This 32-bit negative value is then cast to a 64-bit unsigned integer (0xfffffffffffffffa) in a call to gst_buffer_new_and_alloc. The function gst_buffer_new_allocate then attempts to allocate memory, eventually calling _sysmem_new_block. The function _sysmem_new_block adds alignment and header size to the (unsigned) size, causing the overflow of the ‘slice_size’ variable.

ELA-1280-1 amavisd-new security update (by )

Thu, 26 Dec 2024 20:52:43 +0100

Package : amavisd-new

Version : 1:2.10.1-4+deb9u1 (stretch), 1:2.11.0-6.1+deb10u1 (buster)

Related CVEs : CVE-2024-28054

Amavis has an interpretation conflict when there are ambiguous boundary delimiters in a MIME email message. An attacker can send crafted emails that avoid checks for banned files or malware.

Amavis now treats such emails as UNCHECKED, and this new behavior can be configured, see:

ELA-1279-1 php5 security update (by )

Thu, 26 Dec 2024 15:12:38 +0100

Package : php5

Version : 5.6.40+dfsg-0+deb8u22 (jessie)

CVE-2024-8929

Sébastien Rolland discovered a partial content leak of the heap through heap buffer over-read in mysqlnd.

By connecting to a fake MySQL server or tampering with network packets and initiating a SQL Query, it is possible to abuse php_mysqlnd_rset_field_read() when parsing MySQL fields packets in order to include the rest of the heap content starting from the address of the cursor of the currently read buffer.

CVE-2024-8932

Yiheng Cao discovered that uncontrolled long string inputs to ldap_escape() on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.

CVE-2024-11233

A memory-related vulnerability was discovered in the filter handling system, particularly when processing input with convert.quoted-printable-decode filters, which could lead to a segmentation fault.

This vulnerability is triggered through specific sequences of input data, causing PHP to crash. When exploited, it allows an attacker to extract a single byte of data from the heap or result in denial of service.

CVE-2024-11234

Lorenzo Leonardini discovered that Configuring a proxy in a stream context might allow for CRLF injection in URIs, which could lead to authorization bypass by Server Side Request Forgery attack (SSRF).

CVE-2024-11236

An integer overflow vulnerability was found in the firebird and dblib quoters, which can result in out-of-bounds writes.

GHSA-4w77-75f9-2c8w

A heap-use-after-free vulnerability was discovered in the sapi_read_post_data() function, which could allow an attacker to exploit memory safety issues during POST request processing.

In addition, this releases fixes a segfault on close() after free_result() with mysqlnd, which wasn’t assigned an advisory number.

ELA-1278-1 php7.0 security update (by )

Thu, 26 Dec 2024 15:12:37 +0100

Package : php7.0

Version : 7.0.33-0+deb9u20 (stretch)

CVE-2024-8929

Sébastien Rolland discovered a partial content leak of the heap through heap buffer over-read in mysqlnd.

CVE-2024-8932

Yiheng Cao discovered that uncontrolled long string inputs to ldap_escape() on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.

CVE-2024-11233

CVE-2024-11234

CVE-2024-11236

An integer overflow vulnerability was found in the firebird and dblib quoters, which can result in out-of-bounds writes.

GHSA-4w77-75f9-2c8w

A heap-use-after-free vulnerability was discovered in the sapi_read_post_data() function, which could allow an attacker to exploit memory safety issues during POST request processing.

ELA-1277-1 php7.3 security update (by )

Thu, 26 Dec 2024 15:12:36 +0100

Package : php7.3

Version : 7.3.31-1~deb10u9 (buster)

CVE-2024-8929

Sébastien Rolland discovered a partial content leak of the heap through heap buffer over-read in mysqlnd.

CVE-2024-8932

Yiheng Cao discovered that uncontrolled long string inputs to ldap_escape() on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.

CVE-2024-11233

CVE-2024-11234

CVE-2024-11236

An integer overflow vulnerability was found in the firebird and dblib quoters, which can result in out-of-bounds writes.

GHSA-4w77-75f9-2c8w

A heap-use-after-free vulnerability was discovered in the sapi_read_post_data() function, which could allow an attacker to exploit memory safety issues during POST request processing.

ELA-1276-1 intel-microcode security update (by )

Mon, 23 Dec 2024 20:33:41 +0100

Package : intel-microcode

Version : 3.20241112.1~deb8u1 (jessie), 3.20241112.1~deb9u1 (stretch), 3.20241112.1~deb10u1 (buster)

A microcode update has been released for Intel processors, addressing multiple vulnerabilties which potentially could cause local privileged escalation or local DoS.

CVE-2024-21820

Incorrect default permissions in some Intel(R) Xeon(R) processor memory
controller configurations when using Intel(R) SGX may allow a privileged user
to potentially enable escalation of privilege via local access.
(INTEL-SA-01079)

CVE-2024-21853

Improper finite state machines (FSMs) in the hardware logic in some 4th and 5th
Generation Intel(R) Xeon(R) Processors may allow an authorized user to
potentially enable denial of service via local access. (INTEL-SA-01101)

CVE-2024-23918

Improper conditions check in some Intel(R) Xeon(R) processor memory controller
configurations when using Intel(R) SGX may allow a privileged user to
potentially enable escalation of privilege via local access. (INTEL-SA-01079)

CVE-2024-23984 (already adressed in a previous upload, this upload adds more processor models.)

Observable discrepancy in RAPL interface for some Intel(R) Processors may allow
a privileged user to potentially enable information disclosure via local
access.

ELA-1275-1 libpgjava regression update (by )

Fri, 20 Dec 2024 08:17:29 +0200

Package : libpgjava

Version : 42.2.5-2+deb10u5 (buster)

A regression in PgResultSet.refreshRow() introduced by the CVE-2022-31197 fix in 42.2.5-2+deb10u2 has been fixed in the PostgreSQL JDBC Driver.

ELA-1274-1 astropy bugfix update (by )

Fri, 20 Dec 2024 08:12:54 +0200

Package : astropy

Version : 3.1.2-2+deb10u2 (buster)

Due to an issue unrelated to the DLA changes, the DLA-3803-1 update of astropy (an Astronomy package for Python) containing the CVE-2023-41334 fix had bever been successfully built.

ELA-1273-1 zabbix security update (by )

Sun, 15 Dec 2024 16:25:14 +0100

Package : zabbix

Version : 1:2.2.23+dfsg-0+deb8u9 (jessie), 1:3.0.32+dfsg-0+deb9u8 (stretch)

Several security vulnerabilities have been discovered in zabbix, a network monitoring solution, potentially among other effects allowing denial of service, information disclosure, log tampering or buffer over-read.

CVE-2024-22117

When a URL is added to the map element, it is recorded in the database
with sequential IDs. Upon adding a new URL, the system retrieves the
last sysmapelementurlid value and increments it by one. However, an
issue arises when a user manually changes the sysmapelementurlid value
by adding sysmapelementurlid + 1. This action prevents others from
adding URLs to the map element.

CVE-2024-36464

When exporting media types, the password is exported in the YAML in
plain text. This appears to be a best practices type issue and may
have no actual impact. The user would need to have permissions to
access the media types and therefore would be expected to have
access to these passwords.

CVE-2024-42332

The researcher is showing that due to the way the SNMP trap log is
parsed, an attacker can craft an SNMP trap with additional lines of
information and have forged data show in the Zabbix UI. This attack
requires SNMP auth to be off and/or the attacker to know the
community/auth details. The attack requires an SNMP item to be
configured as text on the target host.

CVE-2024-42333

The researcher is showing that it is possible to leak a small amount
of Zabbix Server memory using an out of bounds read in
src/libs/zbxmedia/email.c

Length of support (by )

Fri, 13 Dec 2024 12:04:56 +0000

Freexian provides security support for PHP releases for at least 6 years after their initial publication. This is beyond upstream’s end-of-life, and will typically be extended as long as there is demand from customers and as long as it is technically possible to maintain it for a given target operating system.

Customers get 1 year of prior notice before we drop support for old PHP releases.

Debian and Ubuntu LTS releases are supported for up to 10 years.

Planned End-of-Life Dates
Debian 8	2025-06-30, matching the end of Extended LTS support
Ubuntu 16.04	2025-12-31
Debian 9	2027-06-30, matching the end of Extended LTS support
Ubuntu 18.04	2027-12-31
PHP 5.6, 7.x, 8.x	Not yet planned (> 1 year from now)

Ending support for Debian 8 and Ubuntu 16.04 in 2025 (by )

Fri, 13 Dec 2024 00:00:00 +0000

Freexian’s PHP LTS service is planning to end support for 2 platforms during 2025.

Support for Debian 8 will end on 30 June 2025, coinciding with the end of Extended LTS support.

Support for Ubuntu 16.04 will end on 31 December 2025.

These dates are documented on our platform end-of-life page.

Freexian’s PHP LTS service provides support for both current and older PHP releases, that are end of life upstream. The PHP packages are available as Debian packages for a range of Debian and Ubuntu releases. Currently PHP versions since 5.6 are supported on Debian since Debian 8 and Ubuntu since 16.04.

Also supported are a growing number of PECL extensions. Additional PECL extensions can be supported as needed.

For a complete matrix of supported PHP versions and Ubuntu and Debian releases, see Freexian’s PHP LTS offer.

This service is brought to you by Freexian in cooperation with Ondřej Surý.

Monthly report about Debian Long Term Support, November 2024 (by Roberto C. Sánchez)

Roberto C. Sánchez — Fri, 13 Dec 2024 00:00:00 +0000

Like each month, have a look at the work funded by Freexian’s Debian LTS offering.

Debian LTS contributors

In November, 20 contributors have been paid to work on Debian LTS, their reports are available:

Abhijith PA did 14.0h (out of 6.0h assigned and 8.0h from previous period).
Adrian Bunk did 53.0h (out of 15.0h assigned and 85.0h from previous period), thus carrying over 47.0h to the next month.
Andrej Shadura did 7.0h (out of 7.0h assigned).
Arturo Borrero Gonzalez did 1.0h (out of 10.0h assigned), thus carrying over 9.0h to the next month.
Bastien Roucariès did 20.0h (out of 20.0h assigned).
Ben Hutchings did 0.0h (out of 24.0h assigned), thus carrying over 24.0h to the next month.
Chris Lamb did 18.0h (out of 18.0h assigned).
Daniel Leidert did 17.0h (out of 26.0h assigned), thus carrying over 9.0h to the next month.
Emilio Pozuelo Monfort did 40.5h (out of 60.0h assigned), thus carrying over 19.5h to the next month.
Guilhem Moulin did 7.25h (out of 7.5h assigned and 12.5h from previous period), thus carrying over 12.75h to the next month.
Jochen Sprickerhof did 3.5h (out of 10.0h assigned), thus carrying over 6.5h to the next month.
Lee Garrett did 14.75h (out of 15.25h assigned and 44.75h from previous period), thus carrying over 45.25h to the next month.
Lucas Kanashiro did 10.0h (out of 54.0h assigned and 10.0h from previous period), thus carrying over 54.0h to the next month.
Markus Koschany did 20.0h (out of 40.0h assigned), thus carrying over 20.0h to the next month.
Roberto C. Sánchez did 6.75h (out of 9.75h assigned and 14.25h from previous period), thus carrying over 17.25h to the next month.
Santiago Ruano Rincón did 24.75h (out of 23.5h assigned and 1.5h from previous period), thus carrying over 0.25h to the next month.
Sean Whitton did 2.0h (out of 6.0h assigned), thus carrying over 4.0h to the next month.
Sylvain Beucler did 21.5h (out of 9.5h assigned and 50.5h from previous period), thus carrying over 38.5h to the next month.
Thorsten Alteholz did 11.0h (out of 11.0h assigned).
Tobias Frost did 12.0h (out of 10.5h assigned and 1.5h from previous period).

Evolution of the situation

In November, we have released 38 DLAs.

The LTS coordinators, Roberto and Santiago, delivered a talk at the Mini-DebConf event in Toulouse, France. The title of the talk was “How LTS goes beyond LTS”. The talk covered work done by the LTS Team during the past year. This included contributions related to individual packages in Debian (such as tomcat, jetty, radius, samba, apache2, ruby, and many others); improvements to tooling and documentation useful to the Debian project as a whole; and contributions to upstream work (apache2, freeimage, node-dompurify, samba, and more). Additionally, several contributors external to the LTS Team were highlighted for their contributions to LTS. Readers are encouraged to watch the video of the presentation for a more detailed review of various ways in which the LTS team has contributed more broadly to the Debian project and to the free software community during the past year.

We wish to specifically thank Salvatore (of the Debian Security Team) for swiftly handling during November the updates of needrestart and libmodule-scandeps-perl, both of which involved arbitrary code execution vulnerabilities. We are happy to see increased involvement in LTS work by contributors from outside the formal LTS Team.

The work of the LTS Team in November was otherwise unremarkable, encompassing the customary triage, development, testing, and release of numerous DLAs, along with some associated contributions to related packages in stable and unstable.

Thanks to our sponsors

Sponsors that joined recently are in bold.

Platinum sponsors:
- Toshiba Corporation (for 110 months)
- Civil Infrastructure Platform (CIP) (for 78 months)
- VyOS Inc (for 42 months)
Gold sponsors:
- Roche Diagnostics International AG (for 120 months)
- Akamai - Linode (for 114 months)
- Babiel GmbH (for 104 months)
- Plat’Home (for 103 months)
- CINECA (for 78 months)
- University of Oxford (for 60 months)
- Deveryware (for 47 months)
- EDF SA (for 32 months)
- Dataport AöR (for 7 months)
- CERN (for 5 months)
Silver sponsors:
- Domeneshop AS (for 125 months)
- Nantes Métropole (for 119 months)
- Univention GmbH (for 111 months)
- Université Jean Monnet de St Etienne (for 111 months)
- Ribbon Communications, Inc. (for 105 months)
- Exonet B.V. (for 95 months)
- Leibniz Rechenzentrum (for 89 months)
- Ministère de l’Europe et des Affaires Étrangères (for 73 months)
- Cloudways by DigitalOcean (for 62 months)
- Dinahosting SL (for 60 months)
- Bauer Xcel Media Deutschland KG (for 54 months)
- Platform.sh SAS (for 54 months)
- Moxa Inc. (for 48 months)
- sipgate GmbH (for 46 months)
- OVH US LLC (for 44 months)
- Tilburg University (for 44 months)
- GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 35 months)
- Soliton Systems K.K. (for 32 months)
- THINline s.r.o. (for 8 months)
- Copenhagen Airports A/S
Bronze sponsors:
- Evolix (for 125 months)
- Seznam.cz, a.s. (for 125 months)
- Intevation GmbH (for 122 months)
- Linuxhotel GmbH (for 122 months)
- Daevel SARL (for 121 months)
- Bitfolk LTD (for 120 months)
- Megaspace Internet Services GmbH (for 120 months)
- Greenbone AG (for 119 months)
- NUMLOG (for 119 months)
- WinGo AG (for 118 months)
- Entr’ouvert (for 110 months)
- Adfinis AG (for 107 months)
- Laboratoire LEGI - UMR 5519 / CNRS (for 102 months)
- Tesorion (for 102 months)
- GNI MEDIA (for 101 months)
- Bearstech (for 93 months)
- LiHAS (for 93 months)
- Catalyst IT Ltd (for 88 months)
- Supagro (for 83 months)
- Demarcq SAS (for 82 months)
- Université Grenoble Alpes (for 68 months)
- TouchWeb SAS (for 60 months)
- SPiN AG (for 57 months)
- CoreFiling (for 53 months)
- Institut des sciences cognitives Marc Jeannerod (for 48 months)
- Observatoire des Sciences de l’Univers de Grenoble (for 44 months)
- Tem Innovations GmbH (for 39 months)
- WordFinder.pro (for 38 months)
- CNRS DT INSU Résif (for 37 months)
- Alter Way (for 30 months)
- Institut Camille Jordan (for 20 months)
- SOBIS Software GmbH (for 5 months)

ELA-1272-1 libsoup2.4 security update (by )

Thu, 12 Dec 2024 20:25:42 +0800

Package : libsoup2.4

Version : 2.48.0-1+deb8u3 (jessie), 2.56.0-2+deb9u3 (stretch), 2.64.2-2+deb10u1 (buster)

Multiple vulnerabilities were discovered in libsoup2.4, an HTTP library for Gtk+ programs.

CVE-2024-52530

In some configurations, HTTP request smuggling is possible because null characters at the end of the names of HTTP headers were ignored.

CVE-2024-52531

There was a buffer overflow in applications that perform conversion to UTF-8 in soup_header_parse_param_list_strict. This could lead to memory corruption, crashes or information disclosure. (Contrary to the CVE description, it is now believed that input received over the network could trigger this.)

CVE-2024-52532

An infinite loop in the processing of WebSocket data from clients could lead to a denial-of-service problem through memory exhaustion.

ELA-1271-1 linux-6.1 new linux version (by )

Thu, 12 Dec 2024 12:29:20 +0100

Package : linux-6.1

Version : 6.1.112-1~deb9u1 (stretch), 6.1.112-1~deb10u1 (buster)

This update introduces Linux kernel 6.1 to Debian 9 stretch and Debian 10 buster. This kernel will be supported along with 5.10, but for a longer period. Linux 4.19 was discontinued as announced in ELA-1116-1. Instructions on how to update to 6.1 and support periods can be found in the kernel backports page.

ELA-1270-1 ntp security update (by )

Wed, 11 Dec 2024 12:28:41 +0800

Package : ntp

Version : 1:4.2.8p12+dfsg-4+deb10u1 (buster)

Multiple vulnerabilities were discovered in ntp, a Network Time Protocol daemon and set of utility programs.

CVE-2020-11868

It was possible for an off-path attacker to block unauthenticated synchronisation via a server mode packet with a spoofed source IP address.

CVE-2020-15025

A remote attacker could cause a denial-of-service because of a memory leak in situations where a CMAC key is used and associated with a CMAC algorithm in the ntp.keys file.

CVE-2023-26555

The clock driver for the Trimble Palisade GPS timing receiver contained an out-of-bounds write, which could cause memory corruption or a crash.

ELA-1269-1 avahi security update (by )

Mon, 09 Dec 2024 14:37:19 +0200

Package : avahi

Version : 0.6.31-5+deb8u3 (jessie), 0.6.32-2+deb9u3 (stretch), 0.7-4+deb10u4 (buster)

Multiple vulnerabilities have been fixed in the service discovery system Avahi.

Additionally, a GetAlternativeServiceName regression introduced by the CVE-2023-1981 fix in DLA-3414-1 (buster) and ELA-844-1 (jessie, stretch) has been fixed.

CVE-2023-38469

Reachable assertion in avahi_dns_packet_append_record

CVE-2023-38470

Reachable assertion in avahi_escape_label

CVE-2023-38471

Reachable assertion in dbus_set_host_name

CVE-2023-38472

Reachable assertion in avahi_rdata_parse

CVE-2023-38473

Reachable assertion in avahi_alternative_host_name

Debian Contributions: OpenMPI transitions, cPython 3.12.7+ update uploads, Python 3.13 Transition, and more! (by Anupa Ann Joseph, Stefano Rivera)

Anupa Ann Joseph, Stefano Rivera — Mon, 09 Dec 2024 00:00:00 +0000

Debian Contributions: 2024-11

Transition management, by Emilio Pozuelo Monfort

Emilio has been helping finish the mpi-defaults switch to mpich on 32-bit architectures, and the openmpi transitions. This involves filing bugs for the reverse dependencies, doing NMUs, and requesting removals for outdated (Not Built from Source) binaries on 32-bit architectures where openmpi is no longer available. Those transitions got entangled with a few others, such as the petsc stack, and were blocking many packages from migrating to testing. These transitions were completed in early December.

cPython 3.12.7+ update uploads, by Stefano Rivera

Python 3.12 had failed to build on mips64el, due to an obscure dh_strip failure. The mips64el porters never figured it out, but the missing build on mips64el was blocking migration to Debian testing. After waiting a month, enough changes had accumulated in the upstream 3.12 maintenance git branch that we could apply them in the hope of changing the output enough to avoid breaking dh_strip. This worked.

Of course there were other things to deal with too. A test started failing due to a Debian-specific patch we carry for python3.x-minimal, and it needed to be reworked. And Stefano forgot to strip the trailing + from PY_VERSION, which confuses some python libraries. This always requires another patch when applying git updates from the maintenance branch. Stefano added a build-time check to catch this mistake in the future. Python 3.12.7 migrated.

Python 3.13 Transition, by Stefano Rivera and Colin Watson

During November the Python 3.13-add transition started. This is the first stage of supporting a new version of Python in Debian archive (after preparatory work), adding it as a new supported but non-default version. All packages with compiled Python extensions need to be re-built to add support for the new version.

We have covered the lead-up to this transition in the past. Due to preparation, many of the failures we hit were expected and we had patches waiting in the bug tracker. These could be NMUed to get the transition moving. Others had been known about but hadn’t been worked on, yet.

Some other packages ran into new issues, as we got further into the transition than we’d been able to in preparation. The whole Debian Python team has been helping with this work.

The rebuild stage of the 3.13-add transition is now over, but many packages need work before britney will let python3-defaults migrate to testing.

Limiting build concurrency based on available RAM, by Helmut Grohne

In recent years, the concurrency of CPUs has been increasing as has the demand for RAM by linkers. What has not been increasing as quickly is the RAM supply in typical machines. As a result, we more frequently run into situations where the package builds exhaust memory when building at full concurrency. Helmut initiated a discussion about generalizing an approach to this in Debian packages. Researching existing code that limits concurrency as well as providing possible extensions to debhelper and dpkg to provide concurrency limits based on available system RAM. Thus far there is consensus on the need for a more general solution, but ideas are still being collected for the precise solution.

MiniDebConf Toulouse at Capitole du Libre

The whole Freexian Collaborator team attended MiniDebConf Toulouse, part of the Capitole du Libre event. Several members of the team gave talks:

Santiago spoke on Linux Live Patching in Debian, presenting an update on the idea since DebConf 24. This includes the initial requirements for the livepatch package format, that would be used to distribute the livepatches.
Stefano, Colin, Enrico, and Carles spoke on Using Debusine to Automate QA.
Santiago and Roberto spoke on How LTS Goes Beyond LTS.
Helmut spoke on Cross Building.
Carles gave a lightning talk on po-debconf-manager.

Stefano and Anupa worked as part of the video team, streaming and recording the event’s talks.

Miscellaneous contributions

Stefano looked into packaging the latest upstream python-falcon version in Debian, in support of the Python 3.13 transition. This appeared to break python-hug, which is sadly looking neglected upstream, and the best course of action is probably its removal from Debian.
Stefano uploaded videos from various 2024 Debian events to PeerTube and YouTube.
Stefano and Santiago visited the site for DebConf 2025 in Brest, after the MiniDebConf in Toulouse, to meet with the local team and scout out the venue.

The on-going DebConf 25 organization work of last month also included handling the logo and artwork call for proposals.
Stefano helped the press team to edit a post for bits.debian.org on OpenStreetMap’s migration to Debian.
Carles implemented multiple language support on po-debconf-manager and tested it using Portuguese-Brazilian during MiniDebConf Toulouse. The system was also tested and improved by reviewing more than 20 translations to Catalan, creating merge requests for those packages, and providing user support to new users. Additionally, Carles implemented better status transitions, configuration keys management and other small improvements.
Helmut sent 32 patches for cross build failures. The wireplumber one was an interactive collaboration with Dylan Aïssi.
Helmut continued to monitor the /usr-move, sent a patch for lib64readline8 and continued several older patch conversations. lintian now reports some aliasing issues in unstable.
Helmut initiated a discussion on the semantics of *-for-host packages. More feedback is welcome.
Helmut improved the crossqa.debian.net infrastructure to fail running lintian less often in larger packages.
Helmut continued maintaining rebootstrap mostly dropping applied patches and continuing discussions of submitted patches.
Helmut prepared a non-maintainer upload of gzip for several long-standing bugs.
Colin came up with a plan for resolving the multipart vs. python-multipart name conflict, and began work on converting reverse-dependencies.
Colin upgraded 42 Python packages to new upstream versions. Some were complex: python-catalogue had some upstream version confusion, pydantic and rpds-py involved several Rust package upgrades as prerequisites, and python-urllib3 involved first packaging python-quart-trio and then vendoring an unpackaged test-dependency.
Colin contributed Incus support to needrestart upstream.
Lucas set up a machine to do a rebuild of all ruby reverse dependencies to check what will be broken by adding ruby 3.3 as an alternative interpreter. The tool used for this is mass-rebuild and the initial rebuilds have already started. The ruby interpreter maintainers are planning to experiment with debusine next time.
Lucas is organizing a Debian Ruby sprint towards the end of January in Paris. The plan of the team is to finish any missing bits of Ruby 3.3 transition at the time, try to push Rails 7 transition and fix RC bugs affecting the ruby ecosystem in Debian.
Anupa attended a Debian Publicity team meeting in-person during MiniDebCamp Toulouse.
Anupa moderated and posted in the Debian Administrator group in LinkedIn.

ELA-1268-1 clamav security update (by )

Wed, 04 Dec 2024 19:36:21 -0300

Package : clamav

Version : 0.103.12+dfsg-0+deb8u1 (jessie), 0.103.12+dfsg-0+deb9u1 (stretch), 1.0.7+dfsg-1~deb10u1 (buster)

Related CVEs : CVE-2024-20505 CVE-2024-20506

Two vulnerabilities were found in ClamAV, an antivirus toolkit for Unix.

CVE-2024-20505

Affected versions could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to an out of bounds read. An attacker could exploit this vulnerability by submitting a crafted PDF file to be scanned by ClamAV on an affected device. An exploit could allow the attacker to terminate the scanning process.

CVE-2024-20506

Affected versions could allow an authenticated, local attacker to corrupt critical system files. The vulnerability is due to allowing the ClamD process to write to its log file while privileged without checking if the logfile has been replaced with a symbolic link. An attacker could exploit this vulnerability if they replace the ClamD log file with a symlink to a critical system file and then find a way to restart the ClamD process. An exploit could allow the attacker to corrupt a critical system file by appending ClamD log messages after restart.

On Debian 10 (Buster), clamav was updated to version 1.0.7+dfsg-1~deb10u1. In order to properly built it, new source packages and their binaries were introduced to Debian 10 (Buster):

cmake-latest/3.18.4-2~deb10u1
llvm-toolchain-16/1:16.0.6-15~deb10u1
rustc-web/1.78.0+dfsg1-2~deb10u1

Due to the library soname bump, the reverse dependencies of libclamav9 were also rebuilt against libclamav11. The following source packages were updated:

c-icap-modules/1:0.5.3-1+deb10u2
cyrus-imapd/3.0.8-6+deb10u7
havp/0.93-2+deb10u1
pg-snakeoil/1.1-1+deb10u1
python-clamav/0.4.1-11+deb10u1

ELA-1267-1 python3.4 security update (by )

Tue, 03 Dec 2024 18:35:28 +0000

Package : python3.4

Version : 3.4.2-1+deb8u19 (jessie)

Multiple vulnerabilities were found in python3.4, an interactive high-level object-oriented language.

CVE-2023-27043:

The email module of Python
incorrectly parsed e-mail addresses that contain
a special character. The wrong portion of an
RFC2822 header was identified as the value of the addr-spec.
In some applications, an attacker could bypass a protection
mechanism in which application access is granted only after
verifying receipt of e-mail to a specific domain (e.g.,
only @company.example.com addresses may be used for signup).

CVE-2024-6232:

Regular expressions that allowed excessive
backtracking during tarfile.TarFile header parsing were vulnerable
to ReDoS via specifically-crafted tar archives.

CVE-2024-6923

The email module didn’t properly quote
newlines for email headers when serializing an email message,
allowing for header injection when an email is serialized.

CVE-2024-7592

When parsing cookies that contained
backslashes for quoted characters in the cookie value,
the parser would use an algorithm with quadratic complexity,
resulting in excess CPU resources being used while parsing
the value

CVE-2024-9287

A vulnerability has been found in the `venv`
module and CLI where path names provided when creating a
virtual environment were not quoted properly, allowing the
creator to inject commands into virtual environment "activation"
scripts (ie "source venv/bin/activate").

CVE-2024-11168

The urllib.parse.urlsplit() and urlparse()
functions improperly validated bracketed hosts (`[]`),
allowing hosts that weren't IPv6 or IPvFuture. This behavior
was not conformant to RFC 3986 and potentially enabled SSRF
if a URL is processed by more than one URL parser.

ELA-1266-1 simplesamlphp security update (by )

Tue, 03 Dec 2024 12:01:32 -0300

Package : simplesamlphp

Version : 1.16.3-1+deb10u3 (buster)

Related CVEs : CVE-2024-52596 CVE-2024-52806

It was discovered that in SimpleSAMLphp, an implementation of the SAML 2.0 protocol, is prone to XML external entity (XXE) vulnerabilities when loading (untrusted) XML documents or parsing SAML messages.

ELA-1238-2 needrestart regression update (by )

Mon, 02 Dec 2024 21:55:26 -0300

Package : needrestart

Version : 1.2-8+deb8u4 (jessie), 2.11-3+deb9u4 (stretch), 3.4-5+deb10u3 (buster)

Related CVEs : CVE-2024-48991

The update for needrestart announced as ELA 1228-1 introduced a regression, reporting false positives for processes running in chroot or mountns. Updated packages are now available to correct this issue.

ELA-1265-1 mariadb-10.1 security update (by )

Sun, 01 Dec 2024 10:29:50 +0000

Package : mariadb-10.1

Version : 10.1.48-0+deb9u6 (stretch)

Related CVEs : CVE-2022-38791

A Denial-of-service vulnerability was found in MariaDB, a popular database server. It was found that the mariabackup tool did not correctly handle a mutex primitive, making it possible for local users to trigger a deadlock.

ELA-1264-1 openssl1.0 security update (by )

Sun, 01 Dec 2024 10:32:47 +0800

Package : openssl1.0

Version : 1.0.2u-1~deb9u10 (stretch)

Related CVEs : CVE-2023-5678 CVE-2024-0727

Multiple vulnerabilities were discovered in OpenSSL, the Secure Sockets Layer toolkit.

CVE-2023-5678

A denial of service could occur with excessively long X9.42 DH keys.

CVE-2024-0727

A denial of service could occur with a null field in a PKCS12 file.

ELA-1263-1 lemonldap-ng security update (by )

Sat, 30 Nov 2024 22:25:46 +0100

Package : lemonldap-ng

Version : 2.0.2+ds-7+deb10u11 (buster)

Related CVEs : CVE-2024-48933 CVE-2024-52947

Two Cross-site scripting (XSS) vulnerabilities were discovered in Lemonldap::NG, an OpenID-Connect, CAS and SAML compatible Web-SSO system, which could lead to injection of arbitrary scripts or HTML content.

CVE-2024-48933: XSS vulnerability which allows remote attackers to inject arbitrary web script or HTML into the login page via a username if userControl has been set to a non-default value that allows special HTML characters.
CVE-2024-52947: XSS vulnerability which allows remote attackers to inject arbitrary web script or HTML via the url parameter of the upgrade session confirmation page (upgradeSession) if the “Upgrade session” plugin has been enabled by an admin.

ELA-1262-1 python3.5 security update (by )

Sat, 30 Nov 2024 21:04:07 +0000

Package : python3.5

Version : 3.5.3-1+deb9u11 (stretch)

Multiple vulnerabilities were found in python3.5, an interactive high-level object-oriented language.

CVE-2023-27043:

The email module of Python
incorrectly parsed e-mail addresses that contain
a special character. The wrong portion of an
RFC2822 header was identified as the value of the addr-spec.
In some applications, an attacker could bypass a protection
mechanism in which application access is granted only after
verifying receipt of e-mail to a specific domain (e.g.,
only @company.example.com addresses may be used for signup).

CVE-2024-6232:

Regular expressions that allowed excessive
backtracking during tarfile.TarFile header parsing were vulnerable
to ReDoS via specifically-crafted tar archives.

CVE-2024-6923

The email module didn’t properly quote
newlines for email headers when serializing an email message,
allowing for header injection when an email is serialized.

CVE-2024-7592

When parsing cookies that contained
backslashes for quoted characters in the cookie value,
the parser would use an algorithm with quadratic complexity,
resulting in excess CPU resources being used while parsing
the value

CVE-2024-9287

A vulnerability has been found in the `venv`
module and CLI where path names provided when creating a
virtual environment were not quoted properly, allowing the
creator to inject commands into virtual environment "activation"
scripts (ie "source venv/bin/activate").

CVE-2024-11168

The urllib.parse.urlsplit() and urlparse()
functions improperly validated bracketed hosts (`[]`),
allowing hosts that weren't IPv6 or IPvFuture. This behavior
was not conformant to RFC 3986 and potentially enabled SSRF
if a URL is processed by more than one URL parser.

ELA-1261-1 dnsmasq security update (by )

Sat, 30 Nov 2024 16:28:29 +0100

Package : dnsmasq

Version : 2.80-1+deb10u3 (buster)

Related CVEs : CVE-2023-50387 CVE-2023-50868

CVE-2023-50387

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840,
and related RFCs) allow remote attackers to cause a denial of service (CPU
consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One
of the concerns is that, when there is a zone with many DNSKEY and RRSIG
records, the protocol specification implies that an algorithm must evaluate
all combinations of DNSKEY and RRSIG records.

CVE-2023-50868

The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC
9276 guidance is skipped) allows remote attackers to cause a denial of
service (CPU consumption for SHA-1 computations) via DNSSEC responses in a
random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification
implies that an algorithm must perform thousands of iterations of a hash
function in certain situations.

ELA-1260-1 activemq security update (by )

Sat, 30 Nov 2024 14:49:59 +0100

Package : activemq

Version : 5.14.3-3+deb9u3 (stretch) 5.15.16-0+deb10u2 (buster)

Related CVEs : CVE-2023-46604 CVE-2022-41678

Two vulnerabilities were discovered in the activemq suite of packages. Activemq is the java-based flexible & powerful open source multi-protocol message broker.

CVE-2022-41678

Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.

The fix for this problem has been added to both the Debian Stretch and the Debian Buster packages.

CVE-2023-46604

Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath.

The fix for this problem has been added to the Debian Stretch package. The Debian Buster package was fixed already
in a previous update, in version 5.15.16-0+deb10u1.

ELA-1259-1 editorconfig-core security update (by )

Sat, 30 Nov 2024 13:07:19 +0100

Package : editorconfig-core

Version : 0.12.1-1.1+deb10u1 (buster)

Related CVEs : CVE-2023-0341 CVE-2024-53849

Two issues have been found in editorconfig-core, a coding style indenter for all editors. Both issues are related to buffer overflows in different locations.

ELA-1258-1 openssl security update (by )

Sat, 30 Nov 2024 19:15:19 +0800

Package : openssl

Version : 1.0.1t-1+deb8u22 (jessie)

Related CVEs : CVE-2023-5678 CVE-2024-0727

Multiple vulnerabilities were discovered in OpenSSL, the Secure Sockets Layer toolkit.

CVE-2023-5678

A denial of service could occur with excessively long X9.42 DH keys.

CVE-2024-0727

A denial of service could occur with a null field in a PKCS12 file.

ELA-1257-1 openssl security update (by )

Sat, 30 Nov 2024 19:14:29 +0800

Package : openssl

Version : 1.1.0l-1~deb9u10 (stretch)

Multiple vulnerabilities were discovered in OpenSSL, the Secure Sockets Layer toolkit.

CVE-2023-5678

A denial of service could occur with excessively long X9.42 DH keys.

CVE-2024-0727

A denial of service could occur with a null field in a PKCS12 file.

CVE-2024-2511

A denial of service could occur when the SSL_OP_NO_TICKET flag is set, with TLSv1.3.

CVE-2024-9143

Use of the low-level GF(2^m) elliptic curve APIs with untrusted explicit values for the field polynomial can lead to out-of-bounds memory reads or writes. This could lead to information disclosure or possibly remote code execution.

ELA-1256-1 openssl security update (by )

Sat, 30 Nov 2024 19:13:05 +0800

Package : openssl

Version : 1.1.1n-0+deb10u7 (buster)

Multiple vulnerabilities were discovered in OpenSSL, the Secure Sockets Layer toolkit.

CVE-2023-5678

A denial of service could occur with excessively long X9.42 DH keys.

CVE-2024-0727

A denial of service could occur with a null field in a PKCS12 file.

CVE-2024-2511

A denial of service could occur when the SSL_OP_NO_TICKET flag is set, with TLSv1.3.

CVE-2024-4741

A use-after-free problem was found in the SSL_free_buffers function.

CVE-2024-5535

Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer.

CVE-2024-9143

Tryton 7.0 LTS reaches Debian trixie (by Mathias Behrle, Raphaël Hertzog and Anupa Ann Joseph)

Mathias Behrle, Raphaël Hertzog and Anupa Ann Joseph — Fri, 29 Nov 2024 00:00:00 +0000

Tryton is a FOSS software suite which is highly modular and scalable. Tryton along with its standard modules can provide a complete ERP solution or it can be used for specific functions of a business like accounting, invoicing etc.

Debian packages for Tryton are being maintained by Mathias Behrle. You can follow him on Mastodon or get his help on Tryton related projects through MBSolutions (his own consulting company).

Freexian has been sponsoring Mathias’s packaging work on Tryton for a while, so that Debian gets all the quarterly bug fix releases as well as the security release in a timely manner.

About Tryton 7.0 LTS

Lately Mathias has been busy packaging Tryton 7.0 LTS. As the “LTS” tag implies, this release is recommended for production deployments since it will be supported until November 2028. This release brings numerous bug fixes, performance improvements and various new features.

As part of this work, 41 new Tryton modules and 6 dependency packages have been added to Debian, significantly broadening the options available to Debian users and improving integration with Tryton systems.

Running different versions of Tryton on different Debian releases

To provide extended compatibility, a dedicated Tryton mirror is being managed and is available at https://debian.m9s.biz/debian/. This mirror hosts backports for all supported Tryton series, ensuring availability for a variety of Debian releases and deployment scenarios.

These initiatives highlight MBSolutions’ technical contributions to the Tryton community, made possible by Freexian’s financial backing. Together, we are advancing the Tryton ecosystem for Debian users.

ELA-1255-1 unbound1.9 security update (by )

Thu, 28 Nov 2024 23:00:27 +0100

Package : unbound1.9

Version : 1.9.0-2+deb10u2~deb9u5 (stretch)

Multiple vulnerabilities were discovered in unbound, a validating, recursive, caching DNS resolver.

CVE-2024-8508

When handling replies with very large RRsets that unbound needs to perform
name compression for, it can spend a considerable time applying name
compression to downstream replies, potentially leading to degraded
performance and eventually denial of service in well orchestrated attacks.

CVE-2024-43167

A NULL pointer dereference flaw was found in the ub_ctx_set_fwd function in
Unbound. This issue could allow an attacker who can invoke specific
sequences of API calls to cause a segmentation fault. When certain API
functions such as ub_ctx_set_fwd and ub_ctx_resolvconf are called in a
particular order, the program attempts to read from a NULL pointer,
leading to a crash. This issue can result in a denial of service by causing
the application to terminate unexpectedly.

CVE-2024-43168

A heap-buffer-overflow flaw was found in the cfg_mark_ports function within
Unbound's config_file.c, which can lead to memory corruption. This issue
could allow an attacker with local access to provide specially crafted
input, potentially causing the application to crash or allowing arbitrary
code execution. This could result in a denial of service or unauthorized
actions on the system.

ELA-1254-1 icinga2 security update (by )

Thu, 28 Nov 2024 22:50:44 +0100

Package : icinga2

Version : 2.10.3-2+deb10u2 (buster)

Multiple vulnerabilities were discovered in icinga2, a general-purpose monitoring application.

CVE-2020-29663

An issue was discovered where revoked certificates due for renewal were
automatically being renewed, ignoring the CRL.

CVE-2021-32739

A vulnerability was discovered that may allow privilege escalation for
authenticated API users. With a read-only user's credentials, an attacker can
view most attributes of all config objects including `ticket_salt` of
`ApiListener`. This salt is enough to compute a ticket for every possible
common name (CN). A ticket, the master node's certificate, and a self-signed
certificate are enough to successfully request the desired certificate from
Icinga. That certificate may in turn be used to steal an endpoint or API user's
identity.

CVE-2021-32743

Some of the Icinga 2 features that require credentials for external
services expose those credentials through the API to authenticated API users
with read permissions for the corresponding object types.  IdoMysqlConnection
and IdoPgsqlConnection (every released version) exposes the password of the
user used to connect to the database.  ElasticsearchWriter (added in 2.8.0)
exposes the password used to connect to the Elasticsearch server. An attacker
who obtains these credentials can impersonate Icinga to these services and add,
modify and delete information there.

CVE-2021-37698

ElasticsearchWriter, GelfWriter, InfluxdbWriter and Influxdb2Writer do
not verify the server's certificate despite a certificate authority being
specified. Instances which connect to any of the mentioned time series
databases (TSDBs) using TLS over a spoofable infrastructure should change the
credentials (if any) used by the TSDB writer feature to authenticate against
the TSDB.

CVE-2024-49369

The TLS certificate validation in all Icinga 2 versions starting from
2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster
nodes as well as any API users that use TLS client certificates for
authentication (ApiUser objects with the `client_cn` attribute set).

ELA-1253-1 redis security update (by )

Thu, 28 Nov 2024 23:45:11 +0200

Package : redis

Version : 2:2.8.17-1+deb8u13 (jessie), 3:3.2.6-3+deb9u13 (stretch), 5:5.0.14-1+deb10u6 (buster)

Multiple vulnerabilities have been fixed in the key–value database Redis.

CVE-2022-35977

integer overflows in SETRANGE and SORT

CVE-2022-36021 (jessie, stretch)

string pattern matching DoS

CVE-2023-25155

SRANDMEMBER integer overflow

CVE-2024-31228

unbounded pattern matching DoS

CVE-2024-31449 (stretch)

Lua bit library stack overflow

ELA-1252-1 libmodule-scandeps-perl security update (by )

Thu, 28 Nov 2024 17:29:38 -0300

Package : libmodule-scandeps-perl

Version : 1.16-1+deb8u1 (jessie), 1.23-1+deb9u1 (stretch), 1.27-1+deb10u1 (buster)

Related CVEs : CVE-2024-10224

The Qualys Threat Research Unit discovered that libmodule-scandeps-perl, a Perl module to recursively scan Perl code for dependencies, allows an attacker to execute arbitrary shell commands via specially crafted file names.

Details can be found in the Qualys advisory at https://www.qualys.com/2024/11/19/needrestart/needrestart.txt

ELA-1251-1 mpg123 security update (by )

Thu, 28 Nov 2024 19:56:36 +0000

Package : mpg123

Version : 1.23.8-1+deb9u1 (stretch)

mpg123 a popular MPEG layer 1/2/3 audio player was affected by multiple vulnerabilities.

CVE-2017-9545

The next_text function allowed remote attackers to cause a
Denial Of Service (buffer over-read) via a crafted mp3 file.

CVE-2017-10683

A heap-based buffer over-read was found in the convert_latin1 function.
A crafted input will lead to a remote denial of service attack.

CVE-2017-12797

An Integer Overflow was found in the INT123_parse_new_id3 function
in the ID3 parser in mpg123 on 32-bit platforms. This vulnerability
allowed remote attackers to cause a denial of service via a crafted
file, which triggers a heap-based buffer overflow.

CVE-2017-12839

A heap-based buffer over-read was found in the getbits function.
This vulnerability allowed a remote attackers to cause
a possible denial-of-service (out-of-bounds read) via a
crafted mp3 file.

CVE-2024-10573

An out-of-bounds write flaw was found in mpg123 when handling crafted
streams. When decoding PCM, the libmpg123 may write past the end
of a heap-located buffer. Consequently, heap corruption may happen.

ELA-1250-1 mpg123 security update (by )

Thu, 28 Nov 2024 19:52:11 +0000

Package : mpg123

Version : 1.25.10-2+deb10u1 (buster)

Related CVEs : CVE-2024-10573

mpg123 a popular MPEG layer 1/2/3 audio player was affected by a vulnerability.

An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Consequently, heap corruption may happen.

ELA-1249-1 tzdata new timezone database (by )

Thu, 28 Nov 2024 20:44:04 +0100

Package : tzdata

Version : 2024b-0+deb8u1 (jessie), 2024b-0+deb9u1 (stretch), 2024b-0+deb10u1 (buster)

This update includes the changes in tzdata 2024b. Notable changes are:

Updated leap second list, which was set to expire by the end of December.
Correction of historical data for Mexico, Mongolia and Portugal.

ELA-1248-1 twisted security update (by )

Thu, 28 Nov 2024 16:18:16 +0100

Package : twisted

Version : 16.6.0-2+deb9u5 (stretch)

Related CVEs : CVE-2024-41671 CVE-2024-41810

Multiple security issues were found in Twisted, an event-based framework for internet applications, which could result in incorrect ordering of HTTP requests or cross-site scripting.

CVE-2024-41671

The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.
CVE-2024-41810

The twisted.web.util.redirectTo function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.

ELA-1247-1 twisted security update (by )

Thu, 28 Nov 2024 16:17:48 +0100

Package : twisted

Version : 18.9.0-3+deb10u3 (buster)

Multiple security issues were found in Twisted, an event-based framework for internet applications, which could result in incorrect ordering of HTTP requests or cross-site scripting.

CVE-2023-46137

When sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline.
CVE-2024-41671

The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.
CVE-2024-41810

The twisted.web.util.redirectTo function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.

ELA-1246-1 exim4 security update (by )

Wed, 27 Nov 2024 16:22:28 +0100

Package : exim4

Version : 4.84.2-2+deb8u13 (jessie), 4.89-2+deb9u14 (stretch), 4.92-8+deb10u11 (buster)

Related CVEs : CVE-2023-42117 CVE-2023-42119

Multiple potential security vulnerabilities have been addressed in exim4, a mail transport agent. These issues may allow remote attackers to disclose sensitive information or execute arbitrary code but only if Exim4 is run behind or with untrusted proxy servers or DNS resolvers. If your proxy-protocol proxy or DNS resolver are trustworthy, you are not affected.

In addition CVE-2021-38371 and CVE-2022-3559 have been addressed for Debian 10 “Buster” and CVE-2022-3559 for Debian 9 “Stretch”.

ELA-1245-1 bind9 security update (by )

Wed, 27 Nov 2024 11:56:02 +0100

Package : bind9

Version : 1:9.10.3.dfsg.P4-12.3+deb9u17 (stretch)

Related CVEs : CVE-2024-1737 CVE-2024-1975

Several vulnerabilities were discovered in BIND, a DNS server implementation, which may result in denial of service.

ELA-1244-1 python3.7 security update (by )

Tue, 26 Nov 2024 11:13:28 +0000

Package : python3.7

Version : 3.7.3-2+deb10u9 (buster)

Multiple vulnerabilities were found in python3.7, an interactive high-level object-oriented language.

CVE-2023-27043:

The email module of Python
incorrectly parsed e-mail addresses that contain
a special character. The wrong portion of an
RFC2822 header was identified as the value of the addr-spec.
In some applications, an attacker could bypass a protection
mechanism in which application access is granted only after
verifying receipt of e-mail to a specific domain (e.g.,
only @company.example.com addresses may be used for signup).

CVE-2024-6232:

Regular expressions that allowed excessive
backtracking during tarfile.TarFile header parsing were vulnerable
to ReDoS via specifically-crafted tar archives.

CVE-2024-6923

The email module didn’t properly quote
newlines for email headers when serializing an email message,
allowing for header injection when an email is serialized.

CVE-2024-7592

When parsing cookies that contained
backslashes for quoted characters in the cookie value,
the parser would use an algorithm with quadratic complexity,
resulting in excess CPU resources being used while parsing
the value

CVE-2024-9287

A vulnerability has been found in the `venv`
module and CLI where path names provided when creating a
virtual environment were not quoted properly, allowing the
creator to inject commands into virtual environment "activation"
scripts (ie "source venv/bin/activate").

CVE-2024-11168

The urllib.parse.urlsplit() and urlparse()
functions improperly validated bracketed hosts (`[]`),
allowing hosts that weren't IPv6 or IPvFuture. This behavior
was not conformant to RFC 3986 and potentially enabled SSRF
if a URL is processed by more than one URL parser.

ELA-1243-1 ghostscript security update (by )

Sun, 24 Nov 2024 23:59:04 +0200

Package : ghostscript

Version : 9.26a~dfsg-0+deb8u13 (jessie), 9.26a~dfsg-0+deb9u13 (stretch), 9.27~dfsg-2+deb10u10 (buster)

Multiple vulnerabilities have been fixed in the PostScript/PDF interpreter Ghostscript.

CVE-2024-46951

PS interpreter unchecked pointer

CVE-2024-46953

output filename format string integer overflow

CVE-2024-46955

PS interpreter out-of-bounds

CVE-2024-46956

PS interpreter out-of-bounds

ELA-1242-1 intel-microcode security update (by )

Sun, 24 Nov 2024 15:45:15 +0100

Package : intel-microcode

Version : 3.20240910.1~deb8u1 (jessie), 3.20240910.1~deb9u1 (stretch), 3.20240910.1~deb10u1 (buster)

Related CVEs : CVE-2024-23984 CVE-2024-24968

A microcode update has been released for Intel processors, addressing multiple vulnerabilties which potentially could cause information disclosue or local DoS.

CVE-2024-23984

Observable discrepancy in RAPL interface for some Intel(R)
Processors may allow a privileged user to potentially enable
information disclosure via local access.

CVE-2024-24968

Improper finite state machines (FSMs) in hardware logic in some
Intel(R) Processors may allow an privileged user to potentially
enable a denial of service via local access.

ELA-1241-1 amd64-microcode security update (by )

Sun, 24 Nov 2024 10:28:32 +0100

Package : amd64-microcode

Version : 3.20240820.1~deb8u1 (jessie), 3.20240820.1~deb9u1 (stretch), 3.20240820.1~deb10u1 (buster)

AMD has released microcode updates to address multiple vulnerabilties.

This release requires either new-enough system firmware, or a recent-enough Linux kernel to properly work on AMD Genoa and Bergamo processors.

The firmware requirement is AGESA 1.0.0.8 or newer.

The Linux kernel requirement is a group of patches that are already present in the Linux stable/LTS/ELTS trees since versions: v4.19.289, v5.4.250, v5.10.187, v5.15.120, v6.1.37, v6.3.11 and v6.4.1. These patches are also present in Linux v6.5-rc1.

CVE-2023-20569

A side channel vulnerability on some of the AMD CPUs may allow an
attacker to influence the return address prediction. This may result
in speculative execution at an attacker-controlled?address,
potentially leading to information disclosure. 

CVE-2023-20569 had been previously reported as fixed in an earlier
update, this update expands the fixes to 4th Gen AMD EPYC
processors, Genoa (Family=0x19 Model=0x11) and Bergamo (Family=0x19
Model=0xa0). See Debian bug #1043381 for details.

CVE-2023-20584

IOMMU improperly handles certain special address ranges with invalid
device table entries (DTEs), which may allow an attacker with
privileges and a compromised Hypervisor to induce DTE faults to
bypass RMP checks in SEV-SNP, potentially leading to a loss of guest
integrity.

CVE-2023-31315

Improper validation in a model specific register (MSR) could allow a
malicious program with ring0 access to modify SMM configuration
while SMI lock is enabled, potentially leading to arbitrary code
execution.

CVE-2023-31356

Incomplete system memory cleanup in SEV firmware could allow a
privileged attacker to corrupt guest private memory, potentially
resulting in a loss of data integrity.

ELA-1240-1 glib2.0 security update (by )

Sat, 23 Nov 2024 21:00:13 +0200

Package : glib2.0

Version : 2.42.1-1+deb8u8 (jessie), 2.50.3-2+deb9u7 (stretch), 2.58.3-2+deb10u7 (buster)

Related CVEs : CVE-2024-52533

A buffer overflow with long SOCKS4a proxy hostname and username has been fixed in the GNOME Input/Output library (GIO).

ELA-1239-1 qtbase-opensource-src security update (by )

Fri, 22 Nov 2024 23:43:54 +0200

Package : qtbase-opensource-src

Version : 5.3.2+dfsg-4+deb8u7 (jessie), 5.7.1+dfsg-3+deb9u5 (stretch), 5.11.3+dfsg1-1+deb10u7 (buster)

Multiple vulnerabilities have been fixed in qtbase-opensource-src, the core part of the Qt 5 application framework.

CVE-2023-24607 (jessie)

Qt SQL ODBC driver DoS

CVE-2023-32763 (jessie)

Qt SVG buffer overflow

CVE-2023-33285 (jessie)

QDnsLookup buffer over-read

CVE-2023-34410

certificate validation for TLS did not always consider whether the root of a chain is a configured CA certificate

CVE-2023-37369 (jessie)

QXmlStreamReader buffer overflow

CVE-2023-38197 (jessie)

QXmlStreamReader buffer overflow

ELA-1238-1 needrestart security update (by )

Wed, 20 Nov 2024 15:23:01 -0300

Package : needrestart

Version : 1.2-8+deb8u3 (jessie), 2.11-3+deb9u3 (stretch), 3.4-5+deb10u2 (buster)

The Qualys Threat Research Unit discovered several local privilege escalation vulnerabilities in needrestart, a utility to check which daemons need to be restarted after library upgrades.

CVE-2024-11003

  Local attackers can trick needrestart to call the Perl module
  Module::ScanDeps with attacker-controlled files.

CVE-2024-48990

  Local attackers can execute arbitrary code as root by tricking needrestart
  into running the Python interpreter with an attacker-controlled PYTHONPATH
  environment variable.

CVE-2024-28991

  Local attackers can execute arbitrary code as root by winning a race
  condition and tricking needrestart into running their own, fake Python
  interpreter (instead of the system's real Python interpreter).

CVE-2024-28992

  Local attackers can also execute arbitrary code as root by tricking
  needrestart into running the Ruby interpreter with an attacker-controlled
  RUBYLIB environment variable.

Details can be found in the Qualys advisory at https://www.qualys.com/2024/11/19/needrestart/needrestart.txt

ELA-1237-1 smarty3 security update (by )

Sun, 17 Nov 2024 12:54:19 +0100

Package : smarty3

Version : 3.1.33+20180830.1.3a78a21f+selfpack1-1+deb10u3 (buster)

Multiple vulnerabilties were discovered for smarty3, a widely-used PHP templating engine, which potentially allows an attacker to perform an XSS (e.g JavaScript or PHP code injection).

CVE-2018-25047

In Smarty before 3.1.47 and 4.x before 4.2.1,
libs/plugins/function.mailto.php allows XSS. A web page that uses
smarty_function_mailto, and that could be parameterized using GET or
POST input parameters, could allow injection of JavaScript code by a
user.

CVE-2018-25047 had already been reported as fixed previously via DLA-3262-1, however it was found the fix was incomplete.

CVE-2023-28447

In affected versions smarty did not properly escape javascript code.
An attacker could exploit this vulnerability to execute arbitrary
JavaScript code in the context of the user's browser session. This
may lead to unauthorized access to sensitive user data, manipulation
of the web application's behavior, or unauthorized actions performed
on behalf of the user. Users are advised to upgrade to either
version 3.1.48 or to 4.3.1 to resolve this issue. There are no known
workarounds for this vulnerability.

CVE-2024-35226

In affected versions template authors could inject php code by
choosing a malicious file name for an extends-tag. Sites that cannot
fully trust template authors should update asap. All users are
advised to update.  There is no patch for users on the v3 branch.
There are no known workarounds for this vulnerability.

ELA-1236-1 waitress security update (by )

Sat, 16 Nov 2024 23:56:23 +0200

Package : waitress

Version : 1.2.0~b2-2+deb10u2 (buster)

Related CVEs : CVE-2024-49769

DoS due to resource exhaustion has been fixed in waitress, a Python Web Server Gateway Interface server.

ELA-1235-1 unbound security update (by )

Fri, 15 Nov 2024 14:02:20 +0100

Package : unbound

Version : 1.9.0-2+deb10u5 (buster)

Multiple vulnerabilities were discovered in unbound, a validating, recursive, caching DNS resolver.

CVE-2024-8508

When handling replies with very large RRsets that unbound needs to perform
name compression for, it can spend a considerable time applying name
compression to downstream replies, potentially leading to degraded
performance and eventually denial of service in well orchestrated attacks.

CVE-2024-43167

A NULL pointer dereference flaw was found in the ub_ctx_set_fwd function in
Unbound. This issue could allow an attacker who can invoke specific
sequences of API calls to cause a segmentation fault. When certain API
functions such as ub_ctx_set_fwd and ub_ctx_resolvconf are called in a
particular order, the program attempts to read from a NULL pointer,
leading to a crash. This issue can result in a denial of service by causing
the application to terminate unexpectedly.

CVE-2024-43168

A heap-buffer-overflow flaw was found in the cfg_mark_ports function within
Unbound's config_file.c, which can lead to memory corruption. This issue
could allow an attacker with local access to provide specially crafted
input, potentially causing the application to crash or allowing arbitrary
code execution. This could result in a denial of service or unauthorized
actions on the system.

ELA-1234-1 apache2 security update (by )

Fri, 15 Nov 2024 08:36:15 +0000

Package : apache2

Version : 2.4.59-1~deb10u4 (buster)

Related CVEs : CVE-2024-38473

A vulnerability was found in apache2, a popular web server.

An encoding problem in mod_proxy allowed request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests.

This affects configurations where mechanisms other than ProxyPass/ProxyPassMatch or RewriteRule with the ‘P’ flag are used to configure a request to be proxied, such as SetHandler or inadvertent proxying via CVE-2024-39573.

Note that these alternate mechanisms may be used within .htaccess.

Monthly report about Debian Long Term Support, October 2024 (by Roberto C. Sánchez)

Roberto C. Sánchez — Tue, 12 Nov 2024 00:00:00 +0000

Like each month, have a look at the work funded by Freexian’s Debian LTS offering.

Debian LTS contributors

In October, 20 contributors have been paid to work on Debian LTS, their reports are available:

Abhijith PA did 6.0h (out of 7.0h assigned and 7.0h from previous period), thus carrying over 8.0h to the next month.
Adrian Bunk did 15.0h (out of 87.0h assigned and 13.0h from previous period), thus carrying over 85.0h to the next month.
Arturo Borrero Gonzalez did 10.0h (out of 10.0h assigned).
Bastien Roucariès did 20.0h (out of 20.0h assigned).
Ben Hutchings did 4.0h (out of 0.0h assigned and 4.0h from previous period).
Chris Lamb did 18.0h (out of 18.0h assigned).
Daniel Leidert did 29.0h (out of 26.0h assigned and 3.0h from previous period).
Emilio Pozuelo Monfort did 60.0h (out of 23.5h assigned and 36.5h from previous period).
Guilhem Moulin did 7.5h (out of 19.75h assigned and 0.25h from previous period), thus carrying over 12.5h to the next month.
Lee Garrett did 15.25h (out of 0.0h assigned and 60.0h from previous period), thus carrying over 44.75h to the next month.
Lucas Kanashiro did 10.0h (out of 10.0h assigned and 10.0h from previous period), thus carrying over 10.0h to the next month.
Markus Koschany did 40.0h (out of 40.0h assigned).
Ola Lundqvist did 14.5h (out of 6.5h assigned and 17.5h from previous period), thus carrying over 9.5h to the next month.
Roberto C. Sánchez did 9.75h (out of 24.0h assigned), thus carrying over 14.25h to the next month.
Santiago Ruano Rincón did 23.5h (out of 25.0h assigned), thus carrying over 1.5h to the next month.
Sean Whitton did 6.25h (out of 1.0h assigned and 5.25h from previous period).
Stefano Rivera did 1.0h (out of 0.0h assigned and 10.0h from previous period), thus carrying over 9.0h to the next month.
Sylvain Beucler did 9.5h (out of 16.0h assigned and 44.0h from previous period), thus carrying over 50.5h to the next month.
Thorsten Alteholz did 11.0h (out of 11.0h assigned).
Tobias Frost did 10.5h (out of 12.0h assigned), thus carrying over 1.5h to the next month.

Evolution of the situation

In October, we have released 35 DLAs.

Some notable updates prepared in October include denial of service vulnerability fixes in nss, regression fixes in apache2, multiple fixes in php7.4, and new upstream releases of firefox-esr, openjdk-17, and opendk-11.

Additional contributions were made for the stable Debian 12 bookworm release by several LTS contributors. Arturo Borrero Gonzalez prepared a parallel update of nss, Bastien Roucariès prepared a parallel update of apache2, and Santiago Ruano Rincón prepared updates of activemq for both LTS and Debian stable.

LTS contributor Bastien Roucariès undertook a code audit of the cacti package and in the process discovered three new issues in node-dompurify, which were reported upstream and resulted in the assignment of three new CVEs.

As always, the LTS team continues to work towards improving the overall sustainability of the free software base upon which Debian LTS is built. We thank our many committed sponsors for their ongoing support.

Thanks to our sponsors

Sponsors that joined recently are in bold.

Platinum sponsors:
- Toshiba Corporation (for 109 months)
- Civil Infrastructure Platform (CIP) (for 77 months)
- VyOS Inc (for 41 months)
Gold sponsors:
- Roche Diagnostics International AG (for 119 months)
- Akamai - Linode (for 113 months)
- Babiel GmbH (for 103 months)
- Plat’Home (for 102 months)
- CINECA (for 77 months)
- University of Oxford (for 59 months)
- Deveryware (for 46 months)
- EDF SA (for 31 months)
- Dataport AöR (for 6 months)
- CERN (for 4 months)
Silver sponsors:
- Domeneshop AS (for 124 months)
- Nantes Métropole (for 118 months)
- Univention GmbH (for 110 months)
- Université Jean Monnet de St Etienne (for 110 months)
- Ribbon Communications, Inc. (for 104 months)
- Exonet B.V. (for 94 months)
- Leibniz Rechenzentrum (for 88 months)
- Ministère de l’Europe et des Affaires Étrangères (for 72 months)
- Cloudways by DigitalOcean (for 61 months)
- Dinahosting SL (for 59 months)
- Bauer Xcel Media Deutschland KG (for 53 months)
- Platform.sh SAS (for 53 months)
- Moxa Inc. (for 47 months)
- sipgate GmbH (for 45 months)
- OVH US LLC (for 43 months)
- Tilburg University (for 43 months)
- GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 34 months)
- Soliton Systems K.K. (for 31 months)
- THINline s.r.o. (for 7 months)
- Copenhagen Airports A/S
Bronze sponsors:
- Evolix (for 124 months)
- Seznam.cz, a.s. (for 124 months)
- Intevation GmbH (for 121 months)
- Linuxhotel GmbH (for 121 months)
- Daevel SARL (for 120 months)
- Bitfolk LTD (for 119 months)
- Megaspace Internet Services GmbH (for 119 months)
- Greenbone AG (for 118 months)
- NUMLOG (for 118 months)
- WinGo AG (for 117 months)
- Entr’ouvert (for 108 months)
- Adfinis AG (for 106 months)
- Tesorion (for 101 months)
- GNI MEDIA (for 100 months)
- Laboratoire LEGI - UMR 5519 / CNRS (for 100 months)
- Bearstech (for 92 months)
- LiHAS (for 92 months)
- Catalyst IT Ltd (for 87 months)
- Supagro (for 82 months)
- Demarcq SAS (for 81 months)
- Université Grenoble Alpes (for 67 months)
- TouchWeb SAS (for 59 months)
- SPiN AG (for 56 months)
- CoreFiling (for 52 months)
- Institut des sciences cognitives Marc Jeannerod (for 47 months)
- Observatoire des Sciences de l’Univers de Grenoble (for 43 months)
- Tem Innovations GmbH (for 38 months)
- WordFinder.pro (for 37 months)
- CNRS DT INSU Résif (for 36 months)
- Alter Way (for 29 months)
- Institut Camille Jordan (for 19 months)
- SOBIS Software GmbH (for 4 months)

ELA-1233-1 libarchive security update (by )

Mon, 11 Nov 2024 23:51:03 +0200

Package : libarchive

Version : 3.1.2-11+deb8u12 (jessie), 3.2.2-2+deb9u5 (stretch), 3.3.3-4+deb10u4 (buster)

Related CVEs : CVE-2024-20696

RAR reader out-of-bounds write has been fixed in libarchive, a multi-format archive and compression library.

ELA-1232-1 libseccomp security update (by )

Mon, 11 Nov 2024 13:02:02 +0200

Package : libseccomp

Version : 2.4.1-1~deb8u1 (jessie), 2.4.1-1~deb9u1 (stretch), 2.4.1-1~deb10u1 (buster)

Related CVEs : CVE-2019-9893

The kernel syscall filtering library libseccomp has been upgraded to version 2.4.1 to fix 64-bit argument comparisons.

ELA-1231-1 nss security update (by )

Sat, 09 Nov 2024 22:46:29 +0100

Package : nss

Version : 2:3.26-1+debu8u19 (jessie) 2:3.26.2-1.1+deb9u8 (stretch) 2:3.42.1-1+deb10u9 (buster)

Related CVEs : CVE-2024-6602 CVE-2024-6609

Two vulnerabilities were discovered in the nss suite of packages, which include libnss3 and other tools for dealing with certificates and security standards.

CVE-2024-6602

A mismatch between allocator and deallocator could have lead to memory corruption.

CVE-2024-6609

When almost out-of-memory an elliptic curve key which was never allocated could have been freed again.

Debian Contributions: October’s report (by Anupa Ann Joseph)

Anupa Ann Joseph — Fri, 08 Nov 2024 00:00:00 +0000

Debian Contributions: 2024-10

rebootstrap, by Helmut Grohne

After significant changes earlier this year, the state of architecture cross bootstrap is normalizing again. More and more architectures manage to complete rebootstrap testing successfully again. Here are two examples of what kind of issues the bootstrap testing identifies.

At some point, libpng1.6 would fail to cross build on musl architectures whereas it would succeed on other ones failing to locate zlib. Adding --debug-find to the cmake invocation eventually revealed that it would fail to search in /usr/lib/<triplet>, which is the default library path. This turned out to be a bug in cmake assuming that all linux systems use glibc. libpng1.6 also gained a baseline violation for powerpc and ppc64 by enabling the use of AltiVec there.

The newt package would fail to cross build for many 32-bit architectures whereas it would succeed for armel and armhf due to -Wincompatible-pointer-types. It turns out that this flag was turned into -Werror and it was compiling with a warning earlier. The actual problem is a difference in signedness between wchar_t and FriBidChar (aka uint32_t) and actually affects native building on i386.

Miscellaneous contributions

Helmut sent 35 patches for cross build failures.
Stefano Rivera uploaded the Python 3.13.0 final release.
Stefano continued to rebuild Python packages with C extensions using Python 3.13, to catch compatibility issues before the 3.13-add transition starts.
Stefano uploaded new versions of a handful of Python packages, including: dh-python, objgraph, python-mitogen, python-truststore, and python-virtualenv.
Stefano packaged a new release of mkdocs-macros-plugin, which required packaging a new Python package for Debian, python-super-collections (now in NEW review).
Stefano helped the mini-DebConf Online Brazil get video infrastructure up and running for the event. Unfortunately, Debian’s online-DebConf setup has bitrotted over the last couple of years, and it eventually required new temporary Jitsi and Jibri instances.
Colin Watson fixed a number of autopkgtest failures to get ansible back into testing.
Colin fixed an ssh client failure in certain cases when using GSS-API key exchange, and added an integration test to ensure this doesn’t regress in future.
Colin worked on the Python 3.13 transition, fixing problems related to it in 15 packages. This included upstream work in a number of packages (postgresfixture, python-asyncssh, python-wadllib).
Colin upgraded 41 Python packages to new upstream versions.
Carles improved po-debconf-manager: now it can create merge requests to Salsa automatically (created 17, new batch coming this month), imported almost all the packages with debconf translation templates whose VCS is Salsa (currently 449 imported), added statistics per package and language, improved command line interface options. Performed user support fixing different issues. Also prepared an abstract for the talk at MiniDebConf Toulouse.
Santiago Ruano Rincón continued the organization work for the DebConf 25 conference, to be held in Brest, France. Part of the work relates to the initial edits of the sponsoring brochure. Thanks to Benjamin Somers who finalized the French and English versions.
Raphaël forwarded a couple of zim and hamster bugs to the upstream developers, and tried to diagnose a delayed startup of gdm on his laptop (cf #1085633).
On behalf of the Debian Publicity Team, Anupa interviewed 7 women from the Debian community, old and new contributors. The interview was published in Bits from Debian.

ELA-1230-1 context bugfix update (by )

Tue, 05 Nov 2024 21:43:40 +0000

Package : context

Version : 2018.04.04.20181118-1+deb10u1 (buster)

The CVE-2023-32700 fix for the texlive-bin package, released for Debian 10 “buster” as DLA-3427-1, introduced a regression in context, a general-purpose document processor. The DLA-3427-1 update broke the context binary package installation process.

This regression update corrects the issue, fixing the context package’s mtxrun script

ELA-1229-1 libheif security update (by )

Tue, 05 Nov 2024 13:21:10 -0800

Package : libheif

Version : 1.3.2-2+deb10u3 (buster)

Related CVEs : CVE-2023-0996

There was a vulnerability in the strided image parsing code in libheif, a decoder/encoder for the HEIF and AVIF image formats.

An attacker could have exploited this through a crafted image file to cause a buffer overflow in linear memory during a memcpy call.

ELA-1228-1 openjdk-8 security update (by )

Mon, 04 Nov 2024 18:20:50 +0100

Package : openjdk-8

Version : 8u432-b06-2~deb8u1 (jessie), 8u432-b06-2~deb9u1 (stretch)

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, information disclosure or bypass of Java sandbox restrictions.

ELA-1227-1 libxml2 security update (by )

Sun, 03 Nov 2024 09:13:19 +0100

Package : libxml2

Version : 2.9.1+dfsg1-5+deb8u17 (jessie), 2.9.4+dfsg1-7+deb10u9 (buster)

Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files, potentially allowing an attacker to perform denial of service or trigger an use-after-free situation.

CVE-2016-9318 (Debian 8 update only)

XML External Entity (XXE) attacks via a crafted document.

Note: CVE-2016-9318 has been previously addressed for Debian 10 (buster) in ELA-1195.

CVE-2017-16932

When expanding a parameter entity in a DTD, infinite recursion could lead to
an infinite loop or memory exhaustion.

CVE-2023-39615

Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via
the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability
allows attackers to cause a Denial of Service (DoS) via supplying a crafted
XML file.

CVE-2023-45322

libxml2 through 2.11.5 has a use-after-free that can only occur after a
certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c.

CVE-2024-25062

An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5.
When using the XML Reader interface with DTD validation and XInclude 
expansion enabled, processing crafted XML documents can lead to an 
xmlValidatePopElement use-after-free.

ELA-1226-1 perl security update (by )

Sat, 02 Nov 2024 18:08:01 +0000

Package : perl

Version : 5.20.2-3+deb8u14 (jessie), 5.24.1-3+deb9u8 (stretch), 5.28.1-6+deb10u2 (buster)

Related CVEs : CVE-2020-16156 CVE-2023-31484

Perl a popular script language was affected by multiple vulnerabilities.

CVE-2020-16156:

 An attacker can prepend checksums for modified
 packages to the beginning of CHECKSUMS files,
 before the cleartext PGP headers. This makes
 the Module::Signature::_verify() checks
 in both cpan and cpanm pass.
 Without the sigtext and plaintext arguments
 to _verify(), the _compare() check is bypassed.
 This results in _verify() only checking that
 valid signed cleartext is present somewhere
 in the file.

CVE-2023-31484:

CPAN.pm does not verify TLS certificates
when downloading distributions over HTTPS.

ELA-1225-1 texlive-bin security update (by )

Fri, 01 Nov 2024 22:31:54 +0000

Package : texlive-bin

Version : 2016.20160513.41080.dfsg-2+deb9u2 (stretch), 2018.20181218.49446-1+deb10u3 (buster)

Related CVEs : CVE-2023-32668 CVE-2024-25262

TeXLive, a popular software distribution for the TeX typesetting system that includes major TeX-related programs, macro packages, and fonts, was affected by two vulnerabilties.

CVE-2023-32668

A document (compiled with the default settings)
was allowed to make arbitrary network requests.
This occurs because full access to the socket library was
permitted by default, as stated in the documentation.

CVE-2024-25262

A heap buffer overflow was found via
the function ttfLoadHDMX:ttfdump. This vulnerability
allows attackers to cause a Denial of Service (DoS)
via supplying a crafted TTF file.

ELA-1224-1 libcpan-reporter-smoker-perl bug fix update (by )

Fri, 01 Nov 2024 22:22:16 +0000

Package : libcpan-reporter-smoker-perl

Version : 0.28-1+deb9u1 (stretch), 0.29-1+deb10u1 (buster)

This update fixes the build of this package, which was preventing security updates of perl to be tested.

ELA-1223-1 xorg-server security update (by )

Thu, 31 Oct 2024 19:53:25 +0100

Package : xorg-server

Version : 2:1.16.4-1+deb8u17 (jessie), 2:1.19.2-1+deb9u20 (stretch), 2:1.20.4-1+deb10u15 (buster)

Related CVEs : CVE-2024-9632

Jan-Niklas Sohn working with Trend Micro Zero Day Initiative found an issue in the X server and Xwayland implementations published by X.Org. CVE-2024-9632 can be triggered by providing a modified bitmap to the X.Org server. This may lead to local privilege escalation if the server is run as root or remote code execution (e.g. x11 over ssh).

ELA-1222-1 ffmpeg security update (by )

Thu, 31 Oct 2024 19:52:19 +0200

Package : ffmpeg

Version : 7:3.2.19-0+deb9u5 (stretch), 7:4.1.11-0+deb10u2 (buster)

Multiple vulnerabilities have been fixed in the FFmpeg multimedia framework.

CVE-2020-20898 (buster)

avfilter/vf_convolution integer overflow

CVE-2020-22040

avfilter/f_reverse memory leaks

CVE-2020-22051 (buster)

avfilter/vf_tile memory leak

CVE-2020-22056 (buster)

avfilter/af_acrossover memory leak

CVE-2021-38090 (buster)

avfilter/vf_convolution integer overflow

CVE-2021-38091 (buster)

avfilter/vf_convolution integer overflow

CVE-2021-38092 (buster)

avfilter/vf_convolution integer overflow

CVE-2021-38093 (buster)

avfilter/vf_convolution integer overflow

CVE-2021-38094 (buster)

avfilter/vf_convolution integer overflow

CVE-2022-48434 (buster)

lavc/pthread_frame hwaccel use-after-free

CVE-2023-49502

avfilter/bwdif buffer overflow

CVE-2023-50010 (buster)

avfilter/vf_gradfun buffer overflow

CVE-2023-51793 (buster)

avfilter/vf_weave buffer overflow

CVE-2023-51794 (buster)

avfilter/af_stereowiden buffer overflow

CVE-2023-51798 (buster)

avfilter/vf_minterpolate floating point exception

CVE-2024-31578 (buster)

avutil/hwcontext use-after-free

CVE-2024-32230

avcodec/mpegvideo_enc buffer overflow

ELA-1221-1 mariadb-10.1 security update (by )

Wed, 30 Oct 2024 17:38:19 +0000

Package : mariadb-10.1

Version : 10.1.48-0+deb9u5 (stretch)

Several vulnerabilities have been fixed in MariaDB, a popular database server.

CVE-2022-31621

In extra/mariabackup/ds_xbstream.cc, when an error occurs
(stream_ctxt->dest_file == NULL) while executing the method xbstream_open,
the held lock is not released correctly, which allows local users
to trigger a Denial of Service (DoS) due to the deadlock.

CVE-2022-31623

In extra/mariabackup/ds_compress.cc, when an error occurs
(i.e., going to the err label) while executing the method
create_worker_threads, the held lock thd->ctrl_mutex is not released
correctly, which allows local users to trigger a Denial of Service (DoS)
due to the deadlock.

CVE-2022-31624

While executing the plugin/server_audit/server_audit.c method log_statement_ex,
the held lock lock_bigbuffer is not released correctly, which allows local
users to trigger a Denial of Service (DoS) due to the deadlock.

CVE-2022-47015

It is possible for function spider_db_mbase::print_warnings to dereference
a null pointer, thus triggering a Denial of Service (DoS).

CVE-2024-21096

A difficult to exploit vulnerability allows unauthenticated
attacker with logon to the infrastructure where MariaDB Server
executes to compromise MariaDB Server.
Successful attacks of this vulnerability can result in
unauthorized update, insert or delete access to some of
MariaDB Server accessible data as well as unauthorized
read access to a subset of MariaDB Server accessible
data and unauthorized ability to cause a partial
denial of service (partial DoS)

Note that fixes related to CVE-2024-21096 may break forwards and backwards compatibility in certain situations when doing logical backup and restore with plain SQL files (e.g. when using mariadb-dump or mysqldump).

The MariaDB client now has the command-line option --sandbox and the MariaDB client database prompt command \-. This enables sandbox mode for the rest of the session, until disconnected. Once in sandbox mode, any command that could do something on the shell is disabled.

Additionally mysqldump now adds the following command inside a comment at the very top of the logical SQL file to trigger sandbox mode:

/*M!999999\- enable the sandbox mode */

Newer version of MariaDB clients strip away the backslash and dash (-), and then tries to execute the internal command with a dash.

Older versions of MariaDB client and all versions of MySQL client considers this a comment, and will ignore it. There may however be situations where importing logical SQL dump files may fail due to this, so users should be advised.

Users are best protected from both security issues and interoperability issues by using the latest mariadb-dump shipped in MariaDB 11.4.3, 10.11.9, 10.6.19 and 10.5.26. The CVE-2024-21096 was officially fixed already in 11.4.2, but the latest batch of MariaDB minor maintenance releases include further improvements on the sandbox mode. For buster ELTS this CVE was fixed in verson 1:10.3.39-0+deb10u3.

Note that the mariadb-dump can be used to make the logical backups from both MariaDB and MySQL servers. Also the mariadb client program can connect to both MariaDB and MySQL servers and import those SQL dump files.

ELA-1220-1 shadow security update (by )

Mon, 28 Oct 2024 23:29:35 +0200

Package : shadow

Version : 1:4.4-4.1+deb9u2 (stretch), 1:4.5-1.1+deb10u1 (buster)

Multiple vulnerabilities have been fixed in shadow, commonly used utilities to change and administer password and group data.

CVE-2018-7169

unprivileged user can drop supplementary groups

CVE-2023-4641

gpasswd password leak

CVE-2023-29383

chfn missing control character check

ELA-1219-1 linux-5.10 security update (by )

Mon, 28 Oct 2024 12:04:14 +0100

Package : linux-5.10

Version : 5.10.226-1~deb8u1 (jessie), 5.10.226-1~deb9u1 (stretch), 5.10.226-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

For Debian 10 buster, the corresponding linux-signed packages have also been updated using the Freexian CA certificate. Note that in order to boot the updated kernels using Secure Boot, the updated shim-signed packages (which ship the Freexian CA) need to be installed. For more information see the shim announcement.

Home on Freexian

Frequently Asked Questions about PHP LTS (by )

How can I access the package repositories?

On how many servers can I use the package repositories?

Why do I get HTTP 403 errors when I run apt update?

Why do I get HTTP 403 errors when I try to install a package?

What if I want to share the packages with my customers, but I can’t afford the “Pro” offer?

What is the difference between Freexian and Debian packages?

What is the default PHP version on Freexian?

What is the difference between Freexian and DEB.SURY.ORG?

What security support is provided?

What are you doing to avoid regressions from security updates?

Where can I see a list of security issues?

How long will you support PHP releases after their end-of-life?

How long will your support Debian 9?

How to switch from Debian PHP packages to Freexian PHP packages?

How to switch from DEB.SURY.ORG packages to Freexian PHP packages?

What PECL extensions are provided?

How are the PECL extensions packaged?

Which architectures are supported?

I have more questions. Where do I send them?

How to use Extended LTS (by )

Adding Extended LTS repositories to APT

Installing the Freexian archive GPG key

Configuring authentication for APT

Adding APT sources.list entries

How to access the APT repositories (by )

Installing the freexian archive GPG key

Configure APT’s sources.list

Use a customer specific URL

Host a private mirror of the package repository

How to install Linux Kernel backports (by )

Support of i386 kernel packages

Installing Linux Kernel backports

Linux 6.1

Linux 5.10

How to follow extended LTS updates (by )

Follow with an RSS feed

Follow by email

How to build a package list (by )

One package list per Debian release

Format of the package list

Combining lists from multiple systems

The ELTS cost estimation model (by )

Explanations about the ELTS cost estimation

What is included in the cost estimation

Examples of a cost estimation

A small container with a web service

An embedded product

About Debian 13 Trixie (by )

Extended LTS for Debian 13 Trixie

Support period

Architectures supported

Limitations of support

List of base packages

About Debian 12 Bookworm (by )

Extended LTS for Debian 12 Bookworm

Support period

Architectures supported

Limitations of support

List of base packages

About Debian 11 Bullseye (by )

Extended LTS for Debian 11 Bullseye

Support period

Architectures supported

Limitations of support

List of base packages

About Debian 10 Buster (by )

Extended LTS for Debian 10 Buster

Support period

Architectures supported

Limitations of support

List of base packages

About Debian 9 Stretch (by )

Extended LTS for Debian 9 Stretch

Support period

Architectures supported

Limitations of support

List of base packages

About Debian 8 Jessie (by )

Why do I get HTTP 403 errors when I run `apt update`?