Security

Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed.

https://security-tracker.debian.org/tracker/DSA-6024-1

It was discovered that missing input sanitising in the libtiff library could result in denial of service or potentially the execution of arbitrary code if malformed image files are processed.

https://security-tracker.debian.org/tracker/DSA-6023-1

Multiple security issues were discovered in the Lua scripting interface of Valkey, a persistent key-value database, which could result in the execution of arbitrary code or denial of service.

https://security-tracker.debian.org/tracker/DSA-6022-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-6021-1

Multiple security issues were discovered in the Lua scripting interface of Redis, a persistent key-value database, which could result in the execution of arbitrary code or denial of service.

https://security-tracker.debian.org/tracker/DSA-6020-1

A flaw with the authentication cache management was discovered in the Dovecot email server, which could result in users being logged in as the wrong user in certain configurations.

https://security-tracker.debian.org/tracker/DSA-6019-1

A buffer overflow was discovered in the RGBE/HDR parser of GEGL, a graph-based image processing library, which could result in denial of service or the execution of arbitrary code if malformed files are processed.

https://security-tracker.debian.org/tracker/DSA-6018-1

Oula Kivalo reported that HAProxy, a fast and reliable load balancing reverse proxy, is prone to a denial of service vulnerability when parsing JSON numbers.

https://security-tracker.debian.org/tracker/DSA-6017-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-6016-1

Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit, which may result in denial of service or information leaks.

Additional details can be found in the upstream advisory: https://openssl-library.org/news/secadv/20250930.txt

https://security-tracker.debian.org/tracker/DSA-6015-1

Several vulnerabilities were discovered in GIMP, the GNU Image Manipulation Program, which could result in denial of service or potentially the execution of arbitrary code if malformed Farbfeld, Wireless Bitmap, DICOM or Apple Icon images are opened.

https://security-tracker.debian.org/tracker/DSA-6014-1

It was discovered that the symlink validation in node-tar-fs, a Node.js module that provides filesystem-like access to tar files, could be bypassed.

https://security-tracker.debian.org/tracker/DSA-6013-1

Firefox 140.3.1 has been released, which fixes connection errors with some sites; if HTTP/3 connections failed, the fallback is now handled more gracefully.

https://security-tracker.debian.org/tracker/DSA-6003-2

Eugene Medvedev discovered that nncp, a package facilitating secure store-and-forward file and mail exchange, was susceptible to path traversal with the freq and file commands.

https://security-tracker.debian.org/tracker/DSA-6012-1

Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code.

Debian follows the Thunderbird upstream releases. Support for the 128.x series has ended, so starting with this update we're now following the 140.x series.

https://security-tracker.debian.org/tracker/DSA-6011-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-6010-1

The update for libxslt announced in DSA 5979-1 introduced a regression while back porting the upstream deterministic generate-id implementation, which makes the generated IDs may remain in a non-deterministic order.

https://security-tracker.debian.org/tracker/DSA-5979-2

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

https://security-tracker.debian.org/tracker/DSA-6009-1

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

https://security-tracker.debian.org/tracker/DSA-6008-1

Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed.

https://security-tracker.debian.org/tracker/DSA-6007-1