Security

It was discovered that Node sha.js, an implementation of the SHA family hash functions in pure JavaScript, performed incomplete type checks.

https://security-tracker.debian.org/tracker/DSA-6002-1

It was discovered that cJSON, an ultralightweight JSON parser, performed insufficient input sanitising, which could result in out-of-bounds memory access.

https://security-tracker.debian.org/tracker/DSA-6001-1

Multiple memory corruption vulnerbilities were discovered in imagemagick, a software suit used for editing and manipulating digital images, which could lead to information leak, denial of service, and potentially arbitrary code execution.

https://security-tracker.debian.org/tracker/DSA-5997-1

Michael Hudak discovered a flaw in libcpanel-json-xs-perl, a module for fast and correct serialising to JSON. An integer buffer overflow causing a segfault when parsing specially crafted JSON, may allow an attacker to mount a denial-of-service attack or cause other unspecified impact.

https://security-tracker.debian.org/tracker/DSA-6000-1

Michael Hudak discovered a flaw in libjson-xs-perl, a module for manipulating JSON-formatted data. An integer buffer overflow causing a segfault when parsing specially crafted JSON, may allow an attacker to mount a denial-of-service attack or cause other unspecified impact.

https://security-tracker.debian.org/tracker/DSA-5999-1

Two vulnerabilities were discovered in cups, the Common UNIX Printing System, which may result in authentication bypass with AuthType Negotiate or in denial of service (daemon crash).

https://security-tracker.debian.org/tracker/DSA-5998-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5996-1

Gregor Kopf of Secfault Security GmbH discovered that HSQLDB, a Java SQL database engine, allowed the execution of spurious scripting commands in .script and .log files. Hsqldb supports a "SCRIPT" keyword which is normally used to record the commands input by the database admin to output such a script. In combination with LibreOffice, an attacker could craft an odb containing a "database/script" file which itself contained a SCRIPT command where the contents of the file could be written to a new file whose location was determined by the attacker.

https://security-tracker.debian.org/tracker/DSA-5995-1

Florian Stuhlmann discovered a SQL vulnerability in the ODBC plugin in the Shibboleth Service Provider which may result in information leak.

For additional information please refer to the upstream advisory at https://shibboleth.net/community/advisories/secadv_20250903.txt

https://security-tracker.debian.org/tracker/DSA-5994-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5993-1

Two vulnerabilities were discovered in the Firebird database, which may result in denial of service or authentication bypass.

https://security-tracker.debian.org/tracker/DSA-5992-1

Multiple vulnerabilities were discovered in Node.js, which could result in denial of service, HTTP request smuggling, privilege escalation, a side channel attack against PKCS#1 1.5 or a bypass of network import restrictions.

https://security-tracker.debian.org/tracker/DSA-5991-1

A flaw was found in libxslt, the XSLT 1.0 processing library, where the attribute type, atype, flags are modified in a way that corrupts internal memory management. This is addressed by adding guards in libxml2, the GNOME XML library, preventing the heap use-after-free from happening.

https://security-tracker.debian.org/tracker/DSA-5990-1

Michael Imfeld discovered an out-of-bounds read vulnerability in udisks2, a D-Bus service to access and manipulate storage devices, which may result in denial of service (daemon process crash), or in mapping an internal file descriptor from the daemon process onto a loop device, resulting in local privilege escalation.

https://security-tracker.debian.org/tracker/DSA-5989-1

A security issues was discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5988-1

Multiple security issues were discovered in Unbound, a validating, recursive, caching DNS resolver, which may result in denial of service or cache poisoning via the "rebirthday attack".

https://security-tracker.debian.org/tracker/DSA-5987-1

Nikita Skorovoda discovered that Node cipher-base, an abstract base class for crypto-streams, performed incomplete type checks.

https://security-tracker.debian.org/tracker/DSA-5986-1

Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed.

https://security-tracker.debian.org/tracker/DSA-5985-1

Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code.

https://security-tracker.debian.org/tracker/DSA-5984-1

This update removes the usage of the C (Credential) flag for the binfmt_misc registration within the qemu-user package, as it allowed for privilege escalation when running a suid/sgid binary under qemu-user. This means suid/sgid foreign-architecture binaries are not running with elevated privileges under qemu-user anymore. If you relied on this behavior of qemu-user in the past (running suid/sgid foreign-arch binaries), this will require changes to your deployment.

In Bookworm the affected packages are qemu-user-static (and qemu-user-binfmt) instead of qemu-user.

Additionally, two security issues were fixed the in SR-IOV support of QEMU system emulation.

https://security-tracker.debian.org/tracker/DSA-5983-1