Security

The Qualys Threat Research Unit (TRU) discovered a local privilege escalation vulnerability in libblockdev, a library for manipulating block devices. An "allow_active" user can exploit this flaw via the udisks daemon to obtain the full privileges of the root user.

Details can be found in the Qualys advisory at https://www.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt

Along with the libblockdev update, updated udisks2 packages are released, to enforce that private mounts are mounted with 'nodev,nosuid'.

https://security-tracker.debian.org/tracker/DSA-5943-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5942-1

Multiple vulnerabilities were discovered in the H.265 plugin for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened.

https://security-tracker.debian.org/tracker/DSA-5941-1

Several vulnerabilities were discovered in modsecurity-apache, an Apache module to tighten the Web application security, which may result in denial of service (high memory consumption).

https://security-tracker.debian.org/tracker/DSA-5940-1

Several vulnerabilities were discovered in GIMP, the GNU Image Manipulation Program, which could result in denial of service or potentially the execution of arbitrary code if malformed XCF, TGA, DDS, FLI or ICO files are opened.

https://security-tracker.debian.org/tracker/DSA-5939-1

It was discovered that the Tornado Python web framework performed excessive logging when parsing some multipart/form-data requests, which could result in denial of service.

https://security-tracker.debian.org/tracker/DSA-5938-1

The following vulnerabilities have been discovered in the WebKitGTK web engine:

CVE-2025-24223

rheza and an anonymous researcher discovered that processing maliciously crafted web content may lead to memory corruption.

CVE-2025-31204

Nan Wang discovered that processing maliciously crafted web content may lead to memory corruption.

CVE-2025-31205

Ivan Fratric discovered that a malicious website may exfiltrate data cross-origin.

CVE-2025-31206

An anonymous researcher discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-31215

Jiming Wang and Jikai Ren discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-31257

Juergen Schmied discovered that processing maliciously crafted web content may lead to an unexpected process crash.

https://security-tracker.debian.org/tracker/DSA-5937-1

It was discovered that libfile-find-rule-perl, a module to search for files based on rules, is vulnerable to arbitrary code execution when grep() encounters a crafted file name.

https://security-tracker.debian.org/tracker/DSA-5936-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. Google is aware that an exploit for CVE-2025-5419 exists in the wild.

https://security-tracker.debian.org/tracker/DSA-5935-1

It was discovered that missing input validation in RoundCube Webmail could result in code execution.

https://security-tracker.debian.org/tracker/DSA-5934-1

Multiple security issues were discovered in TCPDF, a PHP class for generating PDF files on-the-fly, which may result in denial of service, cross-site scripting or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5933-1