Advisories: Debian

Here are the latest security advisories for the Debian Linux distribution:

  • DSA-5955-1 chromium - security update
    Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. Google is aware that an exploit for CVE-2025-6554 exists in the wild. https://security-tracker.debian.org/tracker/DSA-5955-1
  • DSA-5954-1 sudo - security update
    Rich Mirch discovered that sudo, a program designed to provide limited super user privileges to specific users, does not correctly handle the host (-h or --host) option. Due to a bug the host option was not restricted to listing privileges only and could be used when running a command via sudo or editing a file with sudoedit. Depending on the rules present in the sudoers file the flaw might allow a local privilege escalation attack. https://security-tracker.debian.org/tracker/DSA-5954-1
  • DSA-5953-1 catdoc - security update
    Several vulnerabilities were discovered in catdoc, a text extractor for MS-Office files, which may result in denial of service or the execution of arbitrary code if a specially crafted file is processed. https://security-tracker.debian.org/tracker/DSA-5953-1
  • DSA-5952-1 chromium - security update
    Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. https://security-tracker.debian.org/tracker/DSA-5952-1
  • DSA-5951-1 icu - security update
    A buffer overflow was discovered in the International Components for Unicode (ICU) library. https://security-tracker.debian.org/tracker/DSA-5951-1
  • DSA-5950-1 firefox-esr - security update
    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code. https://security-tracker.debian.org/tracker/DSA-5950-1
  • DSA-5949-1 libxml2 - security update
    Brief introduction Multiple memory related vulnerabilities, inlcuding use-after-free, out-of-bounds memory access and NULL pointer dereference, were discovered in GNOME XML Parser and Toolkit Library and its Python bindings, which may cause denial of service or other unintended behaviors. https://security-tracker.debian.org/tracker/DSA-5949-1
  • DSA-5948-1 trafficserver - security update
    Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service, HTTP request smuggling or incorrect processing of ACLs. https://security-tracker.debian.org/tracker/DSA-5948-1
  • DSA-5947-1 xorg-server - security update
    Nils Emmerich discovered several vulnerabilities in the Xorg X server, which may result in privilege escalation if the X server is running privileged. https://security-tracker.debian.org/tracker/DSA-5947-1
  • DSA-5946-1 gdk-pixbuf - security update
    It was discovered that incorrect bounds validation in the GIF decoder of the GDK Pixbuf library may result in memory disclosure. https://security-tracker.debian.org/tracker/DSA-5946-1
  • DSA-5945-1 konsole - security update
    Dennis Dast discovered that the Konsole terminal emulator insecurely handled the telnet URI scheme, which could result in the execution of arbitrary code in some configurations. https://security-tracker.debian.org/tracker/DSA-5945-1
  • DSA-5944-1 chromium - security update
    Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. https://security-tracker.debian.org/tracker/DSA-5944-1
  • DSA-5943-1 libblockdev - security update
    The Qualys Threat Research Unit (TRU) discovered a local privilege escalation vulnerability in libblockdev, a library for manipulating block devices. An "allow_active" user can exploit this flaw via the udisks daemon to obtain the full privileges of the root user. Details can be found in the Qualys advisory at https://www.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt Along with the libblockdev update, updated udisks2 packages are released, to enforce that private mounts are mounted with 'nodev,nosuid'. https://security-tracker.debian.org/tracker/DSA-5943-1
  • DSA-5942-1 chromium - security update
    Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. https://security-tracker.debian.org/tracker/DSA-5942-1
  • DSA-5941-1 gst-plugins-bad1.0 - security update
    Multiple vulnerabilities were discovered in the H.265 plugin for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened. https://security-tracker.debian.org/tracker/DSA-5941-1
  • DSA-5940-1 modsecurity-apache - security update
    Several vulnerabilities were discovered in modsecurity-apache, an Apache module to tighten the Web application security, which may result in denial of service (high memory consumption). https://security-tracker.debian.org/tracker/DSA-5940-1
  • DSA-5939-1 gimp - security update
    Several vulnerabilities were discovered in GIMP, the GNU Image Manipulation Program, which could result in denial of service or potentially the execution of arbitrary code if malformed XCF, TGA, DDS, FLI or ICO files are opened. https://security-tracker.debian.org/tracker/DSA-5939-1
  • DSA-5938-1 python-tornado - security update
    It was discovered that the Tornado Python web framework performed excessive logging when parsing some multipart/form-data requests, which could result in denial of service. https://security-tracker.debian.org/tracker/DSA-5938-1
  • DSA-5937-1 webkit2gtk - security update
    The following vulnerabilities have been discovered in the WebKitGTK web engine: CVE-2025-24223 rheza and an anonymous researcher discovered that processing maliciously crafted web content may lead to memory corruption. CVE-2025-31204 Nan Wang discovered that processing maliciously crafted web content may lead to memory corruption. CVE-2025-31205 Ivan Fratric discovered that a malicious website may exfiltrate data cross-origin. CVE-2025-31206 An anonymous researcher discovered that processing maliciously crafted web content may lead to an unexpected process crash. CVE-2025-31215 Jiming Wang and Jikai Ren discovered that processing maliciously crafted web content may lead to an unexpected process crash. CVE-2025-31257 Juergen Schmied discovered that processing maliciously crafted web content may lead to an unexpected process crash. https://security-tracker.debian.org/tracker/DSA-5937-1
  • DSA-5936-1 libfile-find-rule-perl - security update
    It was discovered that libfile-find-rule-perl, a module to search for files based on rules, is vulnerable to arbitrary code execution when grep() encounters a crafted file name. https://security-tracker.debian.org/tracker/DSA-5936-1
  • More...

Tell me what you are thinking?