Security

DSA-6092-1 smb4k - security update

Debian Security - 1 January, 2026 - 00:00

Two vulnerabilities were discovered in smb4k, a KDE desktop utility which allows unprivileged mounting of Samba/CIFS network shares, which may result in local denial of service or local privilege escalation.

https://security-tracker.debian.org/tracker/DSA-6092-1

Categories: Security

DSA-6090-1 rails - security update

Debian Security - 21 December, 2025 - 00:00

Multiple security issues were discovered in the Rails web framework which could result in command injection or logging of unescaped ANSI sequences.

https://security-tracker.debian.org/tracker/DSA-6090-1

Categories: Security

DSA-6091-1 wordpress - security update

Debian Security - 21 December, 2025 - 00:00

Multiple security issues were discovered in the WordPress blogging tool, which could result in cross-site scripting or information disclosure.

https://security-tracker.debian.org/tracker/DSA-6091-1

Categories: Security

DSA-6089-1 chromium - security update

Debian Security - 21 December, 2025 - 00:00

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-6089-1

Categories: Security

DSA-6088-1 php8.4 - security update

Debian Security - 21 December, 2025 - 00:00

Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in denial of service or memory disclosure.

https://security-tracker.debian.org/tracker/DSA-6088-1

Categories: Security

DSA-6087-1 roundcube - security update

Debian Security - 19 December, 2025 - 00:00

It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, is prone to a cross-site scripting vulnerability via the animate tag in an SVG document and a information disclosure vulnerability in the HTML style sanitizer.

https://security-tracker.debian.org/tracker/DSA-6087-1

Categories: Security

DSA-6086-1 dropbear - security update

Debian Security - 19 December, 2025 - 00:00

"Turistu" discovered that incorrect permission handling in the Dropbear SSH server could result in privilege escalation.

The oldstable distribution (bookworm) is not affected.

https://security-tracker.debian.org/tracker/DSA-6086-1

Categories: Security

DSA-6085-1 mediawiki - security update

Debian Security - 19 December, 2025 - 00:00

Multiple security issues were discovered in MediaWiki, a website engine for collaborative work, which could result in cross-site scripting, information disclosure, missing rate limiting or denial of service.

https://security-tracker.debian.org/tracker/DSA-6085-1

Categories: Security

DSA-6084-1 c-ares - security update

Debian Security - 18 December, 2025 - 00:00

It was discovered that c-ares, a library that performs DNS requests and name resolution asynchronously, does not properly handle termination of queries which may result in denial of service.

https://security-tracker.debian.org/tracker/DSA-6084-1

Categories: Security

DSA-6083-1 webkit2gtk - security update

Debian Security - 18 December, 2025 - 00:00

The following vulnerabilities have been discovered in the WebKitGTK web engine:

CVE-2025-14174

Apple and the Google Threat Analysis Group discovered that processing maliciously crafted web content may lead to memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-43529 was also issued in response to this report.

CVE-2025-43501

Hossein Lotfi discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43529

The Google Threat Analysis Group discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 was also issued in response to this report.

CVE-2025-43531

Phil Pizlo discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43535

Google Big Sleep / Nan Wang discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43536

Nan Wang discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43541

Hossein Lotfi discovered that processing maliciously crafted web content may lead to an unexpected process crash.

https://security-tracker.debian.org/tracker/DSA-6083-1

Categories: Security

DSA-6082-1 vlc - security update

Debian Security - 14 December, 2025 - 00:00

Multiple vulnerabilities were discovered in the VLC media player, which could result in denial of service or potentially the execution of arbitrary code if a malformed video file is opened.

https://security-tracker.debian.org/tracker/DSA-6082-1

Categories: Security

DSA-6081-1 thunderbird - security update

Debian Security - 14 December, 2025 - 00:00

Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code.

https://security-tracker.debian.org/tracker/DSA-6081-1

Categories: Security

DSA-6080-1 chromium - security update

Debian Security - 12 December, 2025 - 00:00

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. An additional CVE (that has yet to be assigned) is fixed in this release; Google is aware of an expoit in the wild for that issue.

https://security-tracker.debian.org/tracker/DSA-6080-1

Categories: Security