Security

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. An additional CVE (that has yet to be assigned) is fixed in this release; Google is aware of an expoit in the wild for that issue.

https://security-tracker.debian.org/tracker/DSA-6080-1

Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed.

https://security-tracker.debian.org/tracker/DSA-6079-1

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape, same-origin policy bypass or privilege escalation.

https://security-tracker.debian.org/tracker/DSA-6078-1

Insufficient validation of incoming notifies over TCP in PDNS Recursor, a resolving name server, could result in denial of service.

https://security-tracker.debian.org/tracker/DSA-6077-1

Several vulnerabilities were reported in the libpng PNG library, which could lead to information leaks, denial of service or potentially the execution of arbitrary code if a specially crafted image is processed.

https://security-tracker.debian.org/tracker/DSA-6076-1

Multiple security issues were discovered in the WordPress blogging tool, which could result in cross-site scripting or information disclosure.

https://security-tracker.debian.org/tracker/DSA-6075-1

The following vulnerabilities have been discovered in the WebKitGTK web engine:

CVE-2025-13947

Janet Black discovered that a website may be able to exfiltrate sensitive system information.

CVE-2025-43421

Nan Wang discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43458

Phil Beauvoir discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-66287

Stanislav Fort discovered that processing maliciously crafted web content may lead to an unexpected process crash.

https://security-tracker.debian.org/tracker/DSA-6074-1

Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed.

https://security-tracker.debian.org/tracker/DSA-6073-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-6072-1

It was discovered that incorrect handling of promiscuous NS RRSets in Unbound, a validating, recursive, caching DNS resolver, could result in cache poisoning.

https://security-tracker.debian.org/tracker/DSA-6071-1

The following vulnerabilities have been discovered in the WebKitGTK web engine:

CVE-2025-43392

Tom Van Goethem discovered that a website may exfiltrate image data cross-origin.

CVE-2025-43425

An anonymous researcher discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43427

Gary Kwong and rheza discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43429

Google Big Sleep discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43430

Google Big Sleep discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43431

Google Big Sleep discovered that processing maliciously crafted web content may lead to memory corruption.

CVE-2025-43432

Hossein Lotfi discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43434

Google Big Sleep discovered that processing maliciously crafted web content may lead to an unexpected browser crash.

CVE-2025-43440

Nan Wang discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43443

An anonymous researcher discovered that processing maliciously crafted web content may lead to an unexpected process crash.

https://security-tracker.debian.org/tracker/DSA-6070-1

It was discovered that openvpn, a virtual private network application, does not properly handle HMAC verification checks. A remote attacker can take advantage of this flaw to bypass source IP address validation.

https://security-tracker.debian.org/tracker/DSA-6069-1

Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in memory disclosure, denial of service or privilege escalation.

https://security-tracker.debian.org/tracker/DSA-6068-1

Two security vulnerabilities were discovered in the Containerd container runtime, which may result in denial of service or local privilege escalation.

https://security-tracker.debian.org/tracker/DSA-6067-1

It was discovered that missing validation of the device ID during handshakes in KDE Connect, a tool to integrate smart phones to a desktop, could allow an attacker to impersonate another device.

The oldstable distribution (bookworm) is not affected.

https://security-tracker.debian.org/tracker/DSA-6066-1

It was discovered that a buffer overflow in the TGA parser of Krita, a creative application for raster images, could potentially result in the execution of arbitrary code if malformed images are opened.

https://security-tracker.debian.org/tracker/DSA-6065-1

Several security vulnerabilities were discovered in the server of the Tryton application platform, which could lead to information disclosure.

https://security-tracker.debian.org/tracker/DSA-6064-1

It was discovered that missing validation of the device ID during handshakes in KDE Connect, a tool to integrate smart phones to a desktop, could allow an attacker to impersonate another device.

The oldstable distribution (bookworm) is not affected.

https://security-tracker.debian.org/tracker/DSA-6063-1

A vulnerability was discovered in pdfminer, a tool for extracting information from PDF documents, which may result in the execution of arbitrary code if a specially crafted PDF file is processed.

https://security-tracker.debian.org/tracker/DSA-6062-1

Abdulfatah Abdillahi discovered a cross-site scripting vulnerability in the web client of the Tryton application platform.

https://security-tracker.debian.org/tracker/DSA-6061-1