Security

Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in denial of service or memory disclosure.

https://security-tracker.debian.org/tracker/DSA-6088-1

It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, is prone to a cross-site scripting vulnerability via the animate tag in an SVG document and a information disclosure vulnerability in the HTML style sanitizer.

https://security-tracker.debian.org/tracker/DSA-6087-1

"Turistu" discovered that incorrect permission handling in the Dropbear SSH server could result in privilege escalation.

The oldstable distribution (bookworm) is not affected.

https://security-tracker.debian.org/tracker/DSA-6086-1

Multiple security issues were discovered in MediaWiki, a website engine for collaborative work, which could result in cross-site scripting, information disclosure, missing rate limiting or denial of service.

https://security-tracker.debian.org/tracker/DSA-6085-1

It was discovered that c-ares, a library that performs DNS requests and name resolution asynchronously, does not properly handle termination of queries which may result in denial of service.

https://security-tracker.debian.org/tracker/DSA-6084-1

The following vulnerabilities have been discovered in the WebKitGTK web engine:

CVE-2025-14174

Apple and the Google Threat Analysis Group discovered that processing maliciously crafted web content may lead to memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-43529 was also issued in response to this report.

CVE-2025-43501

Hossein Lotfi discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43529

The Google Threat Analysis Group discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 was also issued in response to this report.

CVE-2025-43531

Phil Pizlo discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43535

Google Big Sleep / Nan Wang discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43536

Nan Wang discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43541

Hossein Lotfi discovered that processing maliciously crafted web content may lead to an unexpected process crash.

https://security-tracker.debian.org/tracker/DSA-6083-1

Multiple vulnerabilities were discovered in the VLC media player, which could result in denial of service or potentially the execution of arbitrary code if a malformed video file is opened.

https://security-tracker.debian.org/tracker/DSA-6082-1

Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code.

https://security-tracker.debian.org/tracker/DSA-6081-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. An additional CVE (that has yet to be assigned) is fixed in this release; Google is aware of an expoit in the wild for that issue.

https://security-tracker.debian.org/tracker/DSA-6080-1

Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed.

https://security-tracker.debian.org/tracker/DSA-6079-1

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape, same-origin policy bypass or privilege escalation.

https://security-tracker.debian.org/tracker/DSA-6078-1

Insufficient validation of incoming notifies over TCP in PDNS Recursor, a resolving name server, could result in denial of service.

https://security-tracker.debian.org/tracker/DSA-6077-1

Several vulnerabilities were reported in the libpng PNG library, which could lead to information leaks, denial of service or potentially the execution of arbitrary code if a specially crafted image is processed.

https://security-tracker.debian.org/tracker/DSA-6076-1

Multiple security issues were discovered in the WordPress blogging tool, which could result in cross-site scripting or information disclosure.

https://security-tracker.debian.org/tracker/DSA-6075-1

The following vulnerabilities have been discovered in the WebKitGTK web engine:

CVE-2025-13947

Janet Black discovered that a website may be able to exfiltrate sensitive system information.

CVE-2025-43421

Nan Wang discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43458

Phil Beauvoir discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-66287

Stanislav Fort discovered that processing maliciously crafted web content may lead to an unexpected process crash.

https://security-tracker.debian.org/tracker/DSA-6074-1

Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed.

https://security-tracker.debian.org/tracker/DSA-6073-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-6072-1

It was discovered that incorrect handling of promiscuous NS RRSets in Unbound, a validating, recursive, caching DNS resolver, could result in cache poisoning.

https://security-tracker.debian.org/tracker/DSA-6071-1

The following vulnerabilities have been discovered in the WebKitGTK web engine:

CVE-2025-43392

Tom Van Goethem discovered that a website may exfiltrate image data cross-origin.

CVE-2025-43425

An anonymous researcher discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43427

Gary Kwong and rheza discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43429

Google Big Sleep discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43430

Google Big Sleep discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43431

Google Big Sleep discovered that processing maliciously crafted web content may lead to memory corruption.

CVE-2025-43432

Hossein Lotfi discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43434

Google Big Sleep discovered that processing maliciously crafted web content may lead to an unexpected browser crash.

CVE-2025-43440

Nan Wang discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43443

An anonymous researcher discovered that processing maliciously crafted web content may lead to an unexpected process crash.

https://security-tracker.debian.org/tracker/DSA-6070-1

It was discovered that openvpn, a virtual private network application, does not properly handle HMAC verification checks. A remote attacker can take advantage of this flaw to bypass source IP address validation.

https://security-tracker.debian.org/tracker/DSA-6069-1