Debian Security

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5996-1

Gregor Kopf of Secfault Security GmbH discovered that HSQLDB, a Java SQL database engine, allowed the execution of spurious scripting commands in .script and .log files. Hsqldb supports a "SCRIPT" keyword which is normally used to record the commands input by the database admin to output such a script. In combination with LibreOffice, an attacker could craft an odb containing a "database/script" file which itself contained a SCRIPT command where the contents of the file could be written to a new file whose location was determined by the attacker.

https://security-tracker.debian.org/tracker/DSA-5995-1

Florian Stuhlmann discovered a SQL vulnerability in the ODBC plugin in the Shibboleth Service Provider which may result in information leak.

For additional information please refer to the upstream advisory at https://shibboleth.net/community/advisories/secadv_20250903.txt

https://security-tracker.debian.org/tracker/DSA-5994-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5993-1

Two vulnerabilities were discovered in the Firebird database, which may result in denial of service or authentication bypass.

https://security-tracker.debian.org/tracker/DSA-5992-1

Multiple vulnerabilities were discovered in Node.js, which could result in denial of service, HTTP request smuggling, privilege escalation, a side channel attack against PKCS#1 1.5 or a bypass of network import restrictions.

https://security-tracker.debian.org/tracker/DSA-5991-1

A flaw was found in libxslt, the XSLT 1.0 processing library, where the attribute type, atype, flags are modified in a way that corrupts internal memory management. This is addressed by adding guards in libxml2, the GNOME XML library, preventing the heap use-after-free from happening.

https://security-tracker.debian.org/tracker/DSA-5990-1

Michael Imfeld discovered an out-of-bounds read vulnerability in udisks2, a D-Bus service to access and manipulate storage devices, which may result in denial of service (daemon process crash), or in mapping an internal file descriptor from the daemon process onto a loop device, resulting in local privilege escalation.

https://security-tracker.debian.org/tracker/DSA-5989-1

A security issues was discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5988-1

Multiple security issues were discovered in Unbound, a validating, recursive, caching DNS resolver, which may result in denial of service or cache poisoning via the "rebirthday attack".

https://security-tracker.debian.org/tracker/DSA-5987-1

Nikita Skorovoda discovered that Node cipher-base, an abstract base class for crypto-streams, performed incomplete type checks.

https://security-tracker.debian.org/tracker/DSA-5986-1

Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed.

https://security-tracker.debian.org/tracker/DSA-5985-1

Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code.

https://security-tracker.debian.org/tracker/DSA-5984-1

This update removes the usage of the C (Credential) flag for the binfmt_misc registration within the qemu-user package, as it allowed for privilege escalation when running a suid/sgid binary under qemu-user. This means suid/sgid foreign-architecture binaries are not running with elevated privileges under qemu-user anymore. If you relied on this behavior of qemu-user in the past (running suid/sgid foreign-arch binaries), this will require changes to your deployment.

In Bookworm the affected packages are qemu-user-static (and qemu-user-binfmt) instead of qemu-user.

Additionally, two security issues were fixed the in SR-IOV support of QEMU system emulation.

https://security-tracker.debian.org/tracker/DSA-5983-1

Two security issues were discovered in the Squid proxy caching server, which could result in the execution of arbitrary code, information disclosure or denial of service.

https://security-tracker.debian.org/tracker/DSA-5982-1

A security issues was discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5981-1

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape or bypass of the same-origin policy.

https://security-tracker.debian.org/tracker/DSA-5980-1

Two vunlerabilities were found in libxslt, the XSLT 1.0 processing library, which may lead to information disclosure and DoS attack.

CVE-2023-40403

Information disclosure with weak memory handling of generated-id()

CVE-2025-7424

Type confusion in xmlNode.psvi between stylesheet and source nodes, which may allow an attacker to crash the application or corrupt memory.

https://security-tracker.debian.org/tracker/DSA-5979-1

The following vulnerabilities have been discovered in the WebKitGTK web engine:

CVE-2025-6558

Clement Lecigne and Vlad Stolyarov discovered that processing maliciously crafted web content may lead to an unexpected crash.

CVE-2025-31273

Yuhao Hu, Yan Kang, Chenggang Wu, and Xiaojie Wei discovered that processing maliciously crafted web content may lead to memory corruption.

CVE-2025-31278

Yuhao Hu, Yan Kang, Chenggang Wu, and Xiaojie Wei discovered that processing maliciously crafted web content may lead to memory corruption.

CVE-2025-43211

Yuhao Hu, Yan Kang, Chenggang Wu, and Xiaojie Wei discovered that processing web content may lead to a denial-of-service.

CVE-2025-43212

Nan Wang and Ziling Chen discovered that processing maliciously crafted web content may lead to an unexpected crash.

CVE-2025-43216

Ignacio Sanmillan discovered that processing maliciously crafted web content may lead to an unexpected crash.

CVE-2025-43227

Gilad Moav discovered that processing maliciously crafted web content may disclose sensitive user information.

CVE-2025-43228

Jaydev Ahire discovered that visiting a malicious website may lead to address bar spoofing.

CVE-2025-43240

Syarif Muhammad Sajjad discovered that a download's origin may be incorrectly associated.

CVE-2025-43265

HexRabbit discovered that processing maliciously crafted web content may disclose internal states of the app.

https://security-tracker.debian.org/tracker/DSA-5978-1

Rajesh Pangare discovered two vulnerabilities in aide, an advanced intrusion detection system. A local attacker can take advantage of these flaws to hide the addition or removal of a file from the the report, tamper with the log output, or cause aide to crash during report printing or database listing.

https://security-tracker.debian.org/tracker/DSA-5977-1