Security

It was discovered that libfile-find-rule-perl, a module to search for files based on rules, is vulnerable to arbitrary code execution when grep() encounters a crafted file name.

https://security-tracker.debian.org/tracker/DSA-5936-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. Google is aware that an exploit for CVE-2025-5419 exists in the wild.

https://security-tracker.debian.org/tracker/DSA-5935-1

It was discovered that missing input validation in RoundCube Webmail could result in code execution.

https://security-tracker.debian.org/tracker/DSA-5934-1

Multiple security issues were discovered in TCPDF, a PHP class for generating PDF files on-the-fly, which may result in denial of service, cross-site scripting or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5933-1

Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code.

https://security-tracker.debian.org/tracker/DSA-5932-1

The Qualys Threat Research Unit (TRU) discovered that systemd-coredump is prone to a kill-and-replace race condition which may allow a local attacker to gain sensitive information from crashed SUID processes. Additionally systemd-coredump does not specify %d (the kernel's per- process "dumpable" flag) in /proc/sys/kernel/core_pattern allowing a local attacker to crash root daemons that fork() and setuid() to the attacker's uid and consequently gain read access to the resulting core dumps and therefore to sensitive information from memory of the root daemons.

Details can be found in the Qualys advisory at https://www.qualys.com/2025/05/29/apport-coredump/apport-coredump.txt

https://security-tracker.debian.org/tracker/DSA-5931-1

Multiple vulnerabilities were discovered in libavif, a library for handling .avif files, which could result in denial of service or potentially the execution of arbitrary code.

https://security-tracker.debian.org/tracker/DSA-5930-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5929-1

The update for net-tools announced in DSA 5923-1 introduced a regression for ifconfig always showing zero value packet counters. Updated packages are now available to correct this issue. Two additional stack-based buffer overflow flaws are addressed in this update.

https://security-tracker.debian.org/tracker/DSA-5923-2

It was discovered that a double-free in the encoder of libvpx, a multimedia library for the VP8 and VP9 video codecs, may result in denial of service and potentially the execution of arbitrary code.

https://security-tracker.debian.org/tracker/DSA-5928-1

It was discovered that Yelp, the help browser for the GNOME desktop, allowed help files to execute arbitrary scripts. Opening a malformed help file could have resulted in data exfiltration.

https://security-tracker.debian.org/tracker/DSA-5927-1

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or cross-origin leaks.

https://security-tracker.debian.org/tracker/DSA-5926-1

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

For CPUs affected to ITS (Indirect Target Selection), to fully mitigate the vulnerability it is also necessary to update the intel-microcode packages released in DSA 5924-1.

For details on the Indirect Target Selection (ITS) vulnerability please refer to https://www.vusec.net/projects/training-solo/ and https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/indirect-target-selection.html .

https://security-tracker.debian.org/tracker/DSA-5925-1

This update ships updated CPU microcode for some types of Intel CPUs. In particular it provides mitigations for the Indirect Target Selection (ITS) vulnerability (CVE-2024-28956) and the Branch Privilege Injection vulnerability (CVE-2024-45332).

For CPUs affected to ITS (Indirect Target Selection), to fully mitigate the vulnerability it is also necessary to update the Linux kernel packages released in a separate, forthcoming DSA.

For details on the Indirect Target Selection (ITS) vulnerability please refer to https://www.vusec.net/projects/training-solo/ and https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/indirect-target-selection.html .

For details on the Branch Privilege Injection vulnerability please refer to https://comsec.ethz.ch/research/microarch/branch-privilege-injection/

https://security-tracker.debian.org/tracker/DSA-5924-1