Security

It was discovered that a use-after-free vulnerability in Exim4, a mail transport agent, may result in privilege escalation for a local attacker.

https://security-tracker.debian.org/tracker/DSA-5887-1

Multiple security issues were found in Rack, an interface for developing web applications in Ruby, which could result in log injection or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5886-1

The following vulnerabilities have been discovered in the WebKitGTK web engine:

CVE-2024-44192

Tashita Software Security discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2024-54467

Narendra Bhati discovered that a malicious website may exfiltrate data cross-origin.

CVE-2025-24201

Apple discovered that maliciously crafted web content may be able to break out of Web Content sandbox.

https://security-tracker.debian.org/tracker/DSA-5885-1

Ivan Fratric discovered two use-after-free vulnerabilities in libxslt, an XSLT processing runtime library, which may result in the execution of arbitrary code if a specially crafted files are processed.

https://security-tracker.debian.org/tracker/DSA-5884-1

A cross-site scripting vulnerability was discovered in hgweb, the integrated stand-alone web interface of the Mercurial version control system.

https://security-tracker.debian.org/tracker/DSA-5883-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5882-1

Multiple security issues were discovered in the Rails web framework which could result cross-site scripting, information disclosure, denial of service or bypass of content security policies.

https://security-tracker.debian.org/tracker/DSA-5881-1

An out-of-bounds write vulnerability when attempting to parse font subglyph structures related to TrueType GX and variable font files was discovered in FreeType, which may result in the execution of arbitrary code when processing specially crafted fonts.

https://security-tracker.debian.org/tracker/DSA-5880-1

Alexander Tan discovered that the OpenSAML C++ library was susceptible to forging of signed SAML messages. For additional details please refer to the upstream advisory at https://shibboleth.net/community/advisories/secadv_20250313.txt

https://security-tracker.debian.org/tracker/DSA-5879-1

Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in denial of service or HTTP request smuggling.

https://security-tracker.debian.org/tracker/DSA-5878-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5877-1

Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.

https://security-tracker.debian.org/tracker/DSA-5876-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5875-1

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.

https://security-tracker.debian.org/tracker/DSA-5874-1

Amel Bouziane-Leblond discovered that insufficient validation of "vnd.libreoffice.command" URI schemes could result in the execution of arbitrary macro commands.

https://security-tracker.debian.org/tracker/DSA-5873-1

Jan-Niklas Sohn discovered several vulnerabilities in the Xorg X server, which may result in privilege escalation if the X server is running privileged.

https://security-tracker.debian.org/tracker/DSA-5872-1

Two security vulnerabilities were discovered in Emacs:

CVE-2024-53920

Elisp byte-compilation ('elisp-flymake-byte-compile') in the Flymake mode is now disabled for untrusted files.

CVE-2025-1244

An incomplete escaping of shell meta characters in the man reader component could potentially result in the execution of arbitrary shell commands. Discovered by Maxim Nikulin.

https://security-tracker.debian.org/tracker/DSA-5871-1

A heap-based buffer overflow flaw in the decoding functions of openh264, a codec library which supports H.264 encoding and decoding, may allow a remote attacker to cause a denial of service or the execution of arbitrary code if a specially crafted video is processed.

https://security-tracker.debian.org/tracker/DSA-5870-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5869-1

The Qualys Threat Research Unit (TRU) discovered that the OpenSSH client is vulnerable to a machine-in-the-middle attack if the VerifyHostKeyDNS option is enabled (disabled by default).

Details can be found in the Qualys advisory at https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt

https://security-tracker.debian.org/tracker/DSA-5868-1