Security

Leonardo Giovanni discovered that missing redaction of authentication data in the Squid proxy caching server could result in information disclosure.

https://security-tracker.debian.org/tracker/DSA-6047-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-6046-1

Two vulnerabiliites have been discovered in PDNS Recursor, a resolving name server: Delegation information was insufficiently validated, which could result in cache pollution.

These changes are too intrusive to be backported to the version of the PDNS recursor in the oldstable distribution (bookworm). For affected setups an update to Debian stable/trixie is recommended, no further security updates for pdns-recursor in Bookworm will be issued.

https://security-tracker.debian.org/tracker/DSA-6045-1

Jan-Niklas Sohn discovered several vulnerabilities in the Xorg X server, which may result in privilege escalation if the X server is running privileged.

https://security-tracker.debian.org/tracker/DSA-6044-1

Several vulnerabilities were discovered in GIMP, the GNU Image Manipulation Program, which could result in denial of service or potentially the execution of arbitrary code if malformed DICOM or DDS images are opened.

https://security-tracker.debian.org/tracker/DSA-6043-1

The following vulnerabilities have been discovered in the WebKitGTK web engine:

CVE-2025-43272

Big Bear discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43342

An anonymous researcher discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43343

An anonymous researcher discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43356

Jaydev Ahire discovered that a website may be able to access sensor information without user consent.

CVE-2025-43368

Pawel Wylecial discovered that processing maliciously crafted web content may lead to an unexpected process crash.

This WebKitGTK update causes a compatibility problem with older versions of Evolution when handling e-mail attachments. For this reason, fixed versions of Evolution have also been released along with this WebKitGTK update.

https://security-tracker.debian.org/tracker/DSA-6042-1

Xu Biang discovered a buffer overflow bug in the eap-mschapv2 plugin of strongSwan, an IKE/IPsec suite.

The eap-mschapv2 plugin doesn't correctly check the length of an EAP-MSCHAPv2 Failure Request packet on the client, which can cause an integer underflow that leads to a crash, and a heap-based buffer overflow that's potentially exploitable for remote code execution.

https://security-tracker.debian.org/tracker/DSA-6041-1

Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code.

https://security-tracker.debian.org/tracker/DSA-6040-1

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in incorrect string equality checks, XML XXE/XEE attacks or incorrect certificate validation.

https://security-tracker.debian.org/tracker/DSA-6039-1

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in XML XXE/XEE attacks or incorrect certificate validation.

https://security-tracker.debian.org/tracker/DSA-6038-1

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in incorrect string equality checks, XML XXE/XEE attacks or incorrect certificate validation.

https://security-tracker.debian.org/tracker/DSA-6037-1

A security issue was discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-6036-1

It was discovered that insecure path handling in the Python interface to the Internet Archive/archive.org could result in overwriting a user's files.

https://security-tracker.debian.org/tracker/DSA-6035-1

Brandon Da Costa and Mahdi Asfhar discovered a cross-site scripting vulnerability in the web client of the Tryton application platform.

https://security-tracker.debian.org/tracker/DSA-6034-1

Several vulnerabilities were discovered in BIND, a DNS server implementation, which may result in cache poisoning or denial of service.

https://security-tracker.debian.org/tracker/DSA-6033-1

It was discovered that Request Tracker, an extensible trouble-ticket tracking system is prone to a CSV injection via ticket values with special characters that are exported to a TSV from search results.

https://security-tracker.debian.org/tracker/DSA-6032-1

Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system, which could result in CSV injection via ticket values with special characters, or cross-site scripting via calendar invitations added to a ticket.

https://security-tracker.debian.org/tracker/DSA-6031-1

This update ships updated CPU microcode for some types of Intel CPUs and provides mitigations for security vulnerabilities which could result in privilege escalation or denial of service.

https://security-tracker.debian.org/tracker/DSA-6030-1

It was discovered that insecure path handling in the Ark archive utility could result in overwriting a user's files.

https://security-tracker.debian.org/tracker/DSA-6029-1

Multiple security issues were discovered in LXD, a system container and virtual machine manager, which could result in file disclosure, information disclosure or or cross-site request forgery.

https://security-tracker.debian.org/tracker/DSA-6028-1