Security

This update removes the usage of the C (Credential) flag for the binfmt_misc registration within the qemu-user package, as it allowed for privilege escalation when running a suid/sgid binary under qemu-user. This means suid/sgid foreign-architecture binaries are not running with elevated privileges under qemu-user anymore. If you relied on this behavior of qemu-user in the past (running suid/sgid foreign-arch binaries), this will require changes to your deployment.

In Bookworm the affected packages are qemu-user-static (and qemu-user-binfmt) instead of qemu-user.

Additionally, two security issues were fixed the in SR-IOV support of QEMU system emulation.

https://security-tracker.debian.org/tracker/DSA-5983-1

Two security issues were discovered in the Squid proxy caching server, which could result in the execution of arbitrary code, information disclosure or denial of service.

https://security-tracker.debian.org/tracker/DSA-5982-1

A security issues was discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5981-1

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape or bypass of the same-origin policy.

https://security-tracker.debian.org/tracker/DSA-5980-1

Two vunlerabilities were found in libxslt, the XSLT 1.0 processing library, which may lead to information disclosure and DoS attack.

CVE-2023-40403

Information disclosure with weak memory handling of generated-id()

CVE-2025-7424

Type confusion in xmlNode.psvi between stylesheet and source nodes, which may allow an attacker to crash the application or corrupt memory.

https://security-tracker.debian.org/tracker/DSA-5979-1

The following vulnerabilities have been discovered in the WebKitGTK web engine:

CVE-2025-6558

Clement Lecigne and Vlad Stolyarov discovered that processing maliciously crafted web content may lead to an unexpected crash.

CVE-2025-31273

Yuhao Hu, Yan Kang, Chenggang Wu, and Xiaojie Wei discovered that processing maliciously crafted web content may lead to memory corruption.

CVE-2025-31278

Yuhao Hu, Yan Kang, Chenggang Wu, and Xiaojie Wei discovered that processing maliciously crafted web content may lead to memory corruption.

CVE-2025-43211

Yuhao Hu, Yan Kang, Chenggang Wu, and Xiaojie Wei discovered that processing web content may lead to a denial-of-service.

CVE-2025-43212

Nan Wang and Ziling Chen discovered that processing maliciously crafted web content may lead to an unexpected crash.

CVE-2025-43216

Ignacio Sanmillan discovered that processing maliciously crafted web content may lead to an unexpected crash.

CVE-2025-43227

Gilad Moav discovered that processing maliciously crafted web content may disclose sensitive user information.

CVE-2025-43228

Jaydev Ahire discovered that visiting a malicious website may lead to address bar spoofing.

CVE-2025-43240

Syarif Muhammad Sajjad discovered that a download's origin may be incorrectly associated.

CVE-2025-43265

HexRabbit discovered that processing maliciously crafted web content may disclose internal states of the app.

https://security-tracker.debian.org/tracker/DSA-5978-1

Rajesh Pangare discovered two vulnerabilities in aide, an advanced intrusion detection system. A local attacker can take advantage of these flaws to hide the addition or removal of a file from the the report, tamper with the log output, or cause aide to crash during report printing or database listing.

https://security-tracker.debian.org/tracker/DSA-5977-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5976-1

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

https://security-tracker.debian.org/tracker/DSA-5975-1

Two security issues were found in pgpool-II, the connection pool server and replication proxy for PostgreSQL, which could result in authentication bypass and exposure of sensitive information.

https://security-tracker.debian.org/tracker/DSA-5974-1

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

https://security-tracker.debian.org/tracker/DSA-5973-1

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, information disclosure or weakened TLS connections.

https://security-tracker.debian.org/tracker/DSA-5972-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5971-1

Stefan Buehler discovered a flaw in sope, the set of Objective-C frameworks powering SOGo, which may result in denial of service via a specially crafted POST request.

https://security-tracker.debian.org/tracker/DSA-5970-1

Several security issues were discovered in Redis, a persistent key-value database, which could result in the execution of arbitrary code or denial of service.

https://security-tracker.debian.org/tracker/DSA-5969-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5968-1

Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in denial of service or server side request forgery.

https://security-tracker.debian.org/tracker/DSA-5967-1

Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code.

https://security-tracker.debian.org/tracker/DSA-5966-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5965-1

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.

https://security-tracker.debian.org/tracker/DSA-5964-1