Debian Security

Two vulnerabilities were discovered in smb4k, a KDE desktop utility which allows unprivileged mounting of Samba/CIFS network shares, which may result in local denial of service or local privilege escalation.

https://security-tracker.debian.org/tracker/DSA-6092-1

Multiple security issues were discovered in the Rails web framework which could result in command injection or logging of unescaped ANSI sequences.

https://security-tracker.debian.org/tracker/DSA-6090-1

Multiple security issues were discovered in the WordPress blogging tool, which could result in cross-site scripting or information disclosure.

https://security-tracker.debian.org/tracker/DSA-6091-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-6089-1

Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in denial of service or memory disclosure.

https://security-tracker.debian.org/tracker/DSA-6088-1

It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, is prone to a cross-site scripting vulnerability via the animate tag in an SVG document and a information disclosure vulnerability in the HTML style sanitizer.

https://security-tracker.debian.org/tracker/DSA-6087-1

"Turistu" discovered that incorrect permission handling in the Dropbear SSH server could result in privilege escalation.

The oldstable distribution (bookworm) is not affected.

https://security-tracker.debian.org/tracker/DSA-6086-1

Multiple security issues were discovered in MediaWiki, a website engine for collaborative work, which could result in cross-site scripting, information disclosure, missing rate limiting or denial of service.

https://security-tracker.debian.org/tracker/DSA-6085-1

It was discovered that c-ares, a library that performs DNS requests and name resolution asynchronously, does not properly handle termination of queries which may result in denial of service.

https://security-tracker.debian.org/tracker/DSA-6084-1

The following vulnerabilities have been discovered in the WebKitGTK web engine:

CVE-2025-14174

Apple and the Google Threat Analysis Group discovered that processing maliciously crafted web content may lead to memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-43529 was also issued in response to this report.

CVE-2025-43501

Hossein Lotfi discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43529

The Google Threat Analysis Group discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 was also issued in response to this report.

CVE-2025-43531

Phil Pizlo discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43535

Google Big Sleep / Nan Wang discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43536

Nan Wang discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43541

Hossein Lotfi discovered that processing maliciously crafted web content may lead to an unexpected process crash.

https://security-tracker.debian.org/tracker/DSA-6083-1

Multiple vulnerabilities were discovered in the VLC media player, which could result in denial of service or potentially the execution of arbitrary code if a malformed video file is opened.

https://security-tracker.debian.org/tracker/DSA-6082-1

Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code.

https://security-tracker.debian.org/tracker/DSA-6081-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. An additional CVE (that has yet to be assigned) is fixed in this release; Google is aware of an expoit in the wild for that issue.

https://security-tracker.debian.org/tracker/DSA-6080-1

Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed.

https://security-tracker.debian.org/tracker/DSA-6079-1

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape, same-origin policy bypass or privilege escalation.

https://security-tracker.debian.org/tracker/DSA-6078-1

Insufficient validation of incoming notifies over TCP in PDNS Recursor, a resolving name server, could result in denial of service.

https://security-tracker.debian.org/tracker/DSA-6077-1

Several vulnerabilities were reported in the libpng PNG library, which could lead to information leaks, denial of service or potentially the execution of arbitrary code if a specially crafted image is processed.

https://security-tracker.debian.org/tracker/DSA-6076-1

Multiple security issues were discovered in the WordPress blogging tool, which could result in cross-site scripting or information disclosure.

https://security-tracker.debian.org/tracker/DSA-6075-1

The following vulnerabilities have been discovered in the WebKitGTK web engine:

CVE-2025-13947

Janet Black discovered that a website may be able to exfiltrate sensitive system information.

CVE-2025-43421

Nan Wang discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43458

Phil Beauvoir discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-66287

Stanislav Fort discovered that processing maliciously crafted web content may lead to an unexpected process crash.

https://security-tracker.debian.org/tracker/DSA-6074-1

Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed.

https://security-tracker.debian.org/tracker/DSA-6073-1