Debian Security

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. Google is aware that an exploit for CVE-2025-13223 exists in the wild.

https://security-tracker.debian.org/tracker/DSA-6060-1

Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code.

https://security-tracker.debian.org/tracker/DSA-6059-1

Keane O'Kelley discovered several vulnerabilities in lasso, a library implementing Liberty Alliance and SAML protocols, which could result in denial of service or the execution of arbitrary code.

https://security-tracker.debian.org/tracker/DSA-6058-1

It was discovered that LXD, a system container and virtual machine manager, is prone to a local privilege escalation vulnerability if unprivileged users are allowed to access LXD through lxd-user.

https://security-tracker.debian.org/tracker/DSA-6057-1

A vulnerability was discovered in the ec2tokens and s3tokens APIs of Keystone, the OpenStack identity service, which may result in authorisation bypass or privilege escalation if /v3/ec2tokens or /v3/s3tokens are reachable by unauthenticated clients.

The Swift object storage service also requires an update to work with the updated Keystone: The update to Swift is provided as 2.30.1-0+deb12u1 for bookworm and 2.35.1-0+deb13u1 for trixie and is backwards-compatible with older Keystone versions. As such, it is recommended to first upgrade Swift before deploying the Keystone update.

https://security-tracker.debian.org/tracker/DSA-6056-1

A security issue was discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-6055-1

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or bypass of the same-origin policy.

https://security-tracker.debian.org/tracker/DSA-6054-1

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

https://security-tracker.debian.org/tracker/DSA-6053-1

Two security issues were discovered in sudo-rs, a Rust-based implemention of sudo (and su), which could result in the local disclosure of partially typed passwords or an authentication bypass in some targetpw/rootpw configurations.

https://security-tracker.debian.org/tracker/DSA-6052-1

It was discovered that Incus, a system container and virtual machine manager, is prone to a local privilege escalation vulnerability unprivileged users are allowed access to Incus through incus-user.

https://security-tracker.debian.org/tracker/DSA-6051-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-6050-1

A buffer overflow was discovered in GIMP, the GNU Image Manipulation Program, which could result in denial of service or potentially the execution of arbitrary code if malformed XWD images are opened.

https://security-tracker.debian.org/tracker/DSA-6049-1

Multiple security issues were found in Rack, an interface for developing web applications in Ruby, which could result in denial of service or proxy bypass.

https://security-tracker.debian.org/tracker/DSA-6048-1

Leonardo Giovanni discovered that missing redaction of authentication data in the Squid proxy caching server could result in information disclosure.

https://security-tracker.debian.org/tracker/DSA-6047-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-6046-1

Two vulnerabiliites have been discovered in PDNS Recursor, a resolving name server: Delegation information was insufficiently validated, which could result in cache pollution.

These changes are too intrusive to be backported to the version of the PDNS recursor in the oldstable distribution (bookworm). For affected setups an update to Debian stable/trixie is recommended, no further security updates for pdns-recursor in Bookworm will be issued.

https://security-tracker.debian.org/tracker/DSA-6045-1

Jan-Niklas Sohn discovered several vulnerabilities in the Xorg X server, which may result in privilege escalation if the X server is running privileged.

https://security-tracker.debian.org/tracker/DSA-6044-1

Several vulnerabilities were discovered in GIMP, the GNU Image Manipulation Program, which could result in denial of service or potentially the execution of arbitrary code if malformed DICOM or DDS images are opened.

https://security-tracker.debian.org/tracker/DSA-6043-1

The following vulnerabilities have been discovered in the WebKitGTK web engine:

CVE-2025-43272

Big Bear discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43342

An anonymous researcher discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43343

An anonymous researcher discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43356

Jaydev Ahire discovered that a website may be able to access sensor information without user consent.

CVE-2025-43368

Pawel Wylecial discovered that processing maliciously crafted web content may lead to an unexpected process crash.

This WebKitGTK update causes a compatibility problem with older versions of Evolution when handling e-mail attachments. For this reason, fixed versions of Evolution have also been released along with this WebKitGTK update.

https://security-tracker.debian.org/tracker/DSA-6042-1

Xu Biang discovered a buffer overflow bug in the eap-mschapv2 plugin of strongSwan, an IKE/IPsec suite.

The eap-mschapv2 plugin doesn't correctly check the length of an EAP-MSCHAPv2 Failure Request packet on the client, which can cause an integer underflow that leads to a crash, and a heap-based buffer overflow that's potentially exploitable for remote code execution.

https://security-tracker.debian.org/tracker/DSA-6041-1