Security

A cross-site scripting vulnerability was discovered in hgweb, the integrated stand-alone web interface of the Mercurial version control system.

https://security-tracker.debian.org/tracker/DSA-5883-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5882-1

Multiple security issues were discovered in the Rails web framework which could result cross-site scripting, information disclosure, denial of service or bypass of content security policies.

https://security-tracker.debian.org/tracker/DSA-5881-1

An out-of-bounds write vulnerability when attempting to parse font subglyph structures related to TrueType GX and variable font files was discovered in FreeType, which may result in the execution of arbitrary code when processing specially crafted fonts.

https://security-tracker.debian.org/tracker/DSA-5880-1

Alexander Tan discovered that the OpenSAML C++ library was susceptible to forging of signed SAML messages. For additional details please refer to the upstream advisory at https://shibboleth.net/community/advisories/secadv_20250313.txt

https://security-tracker.debian.org/tracker/DSA-5879-1

Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in denial of service or HTTP request smuggling.

https://security-tracker.debian.org/tracker/DSA-5878-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5877-1

Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.

https://security-tracker.debian.org/tracker/DSA-5876-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5875-1

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.

https://security-tracker.debian.org/tracker/DSA-5874-1

Amel Bouziane-Leblond discovered that insufficient validation of "vnd.libreoffice.command" URI schemes could result in the execution of arbitrary macro commands.

https://security-tracker.debian.org/tracker/DSA-5873-1

Jan-Niklas Sohn discovered several vulnerabilities in the Xorg X server, which may result in privilege escalation if the X server is running privileged.

https://security-tracker.debian.org/tracker/DSA-5872-1

Two security vulnerabilities were discovered in Emacs:

CVE-2024-53920

Elisp byte-compilation ('elisp-flymake-byte-compile') in the Flymake mode is now disabled for untrusted files.

CVE-2025-1244

An incomplete escaping of shell meta characters in the man reader component could potentially result in the execution of arbitrary shell commands. Discovered by Maxim Nikulin.

https://security-tracker.debian.org/tracker/DSA-5871-1

A heap-based buffer overflow flaw in the decoding functions of openh264, a codec library which supports H.264 encoding and decoding, may allow a remote attacker to cause a denial of service or the execution of arbitrary code if a specially crafted video is processed.

https://security-tracker.debian.org/tracker/DSA-5870-1