Debian Security

Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed.

https://security-tracker.debian.org/tracker/DSA-6073-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-6072-1

It was discovered that incorrect handling of promiscuous NS RRSets in Unbound, a validating, recursive, caching DNS resolver, could result in cache poisoning.

https://security-tracker.debian.org/tracker/DSA-6071-1

The following vulnerabilities have been discovered in the WebKitGTK web engine:

CVE-2025-43392

Tom Van Goethem discovered that a website may exfiltrate image data cross-origin.

CVE-2025-43425

An anonymous researcher discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43427

Gary Kwong and rheza discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43429

Google Big Sleep discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43430

Google Big Sleep discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43431

Google Big Sleep discovered that processing maliciously crafted web content may lead to memory corruption.

CVE-2025-43432

Hossein Lotfi discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43434

Google Big Sleep discovered that processing maliciously crafted web content may lead to an unexpected browser crash.

CVE-2025-43440

Nan Wang discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43443

An anonymous researcher discovered that processing maliciously crafted web content may lead to an unexpected process crash.

https://security-tracker.debian.org/tracker/DSA-6070-1

It was discovered that openvpn, a virtual private network application, does not properly handle HMAC verification checks. A remote attacker can take advantage of this flaw to bypass source IP address validation.

https://security-tracker.debian.org/tracker/DSA-6069-1

Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in memory disclosure, denial of service or privilege escalation.

https://security-tracker.debian.org/tracker/DSA-6068-1

Two security vulnerabilities were discovered in the Containerd container runtime, which may result in denial of service or local privilege escalation.

https://security-tracker.debian.org/tracker/DSA-6067-1

It was discovered that missing validation of the device ID during handshakes in KDE Connect, a tool to integrate smart phones to a desktop, could allow an attacker to impersonate another device.

The oldstable distribution (bookworm) is not affected.

https://security-tracker.debian.org/tracker/DSA-6066-1

It was discovered that a buffer overflow in the TGA parser of Krita, a creative application for raster images, could potentially result in the execution of arbitrary code if malformed images are opened.

https://security-tracker.debian.org/tracker/DSA-6065-1

Several security vulnerabilities were discovered in the server of the Tryton application platform, which could lead to information disclosure.

https://security-tracker.debian.org/tracker/DSA-6064-1

It was discovered that missing validation of the device ID during handshakes in KDE Connect, a tool to integrate smart phones to a desktop, could allow an attacker to impersonate another device.

The oldstable distribution (bookworm) is not affected.

https://security-tracker.debian.org/tracker/DSA-6063-1

A vulnerability was discovered in pdfminer, a tool for extracting information from PDF documents, which may result in the execution of arbitrary code if a specially crafted PDF file is processed.

https://security-tracker.debian.org/tracker/DSA-6062-1

Abdulfatah Abdillahi discovered a cross-site scripting vulnerability in the web client of the Tryton application platform.

https://security-tracker.debian.org/tracker/DSA-6061-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. Google is aware that an exploit for CVE-2025-13223 exists in the wild.

https://security-tracker.debian.org/tracker/DSA-6060-1

Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code.

https://security-tracker.debian.org/tracker/DSA-6059-1

Keane O'Kelley discovered several vulnerabilities in lasso, a library implementing Liberty Alliance and SAML protocols, which could result in denial of service or the execution of arbitrary code.

https://security-tracker.debian.org/tracker/DSA-6058-1

It was discovered that LXD, a system container and virtual machine manager, is prone to a local privilege escalation vulnerability if unprivileged users are allowed to access LXD through lxd-user.

https://security-tracker.debian.org/tracker/DSA-6057-1

A vulnerability was discovered in the ec2tokens and s3tokens APIs of Keystone, the OpenStack identity service, which may result in authorisation bypass or privilege escalation if /v3/ec2tokens or /v3/s3tokens are reachable by unauthenticated clients.

The Swift object storage service also requires an update to work with the updated Keystone: The update to Swift is provided as 2.30.1-0+deb12u1 for bookworm and 2.35.1-0+deb13u1 for trixie and is backwards-compatible with older Keystone versions. As such, it is recommended to first upgrade Swift before deploying the Keystone update.

https://security-tracker.debian.org/tracker/DSA-6056-1

A security issue was discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-6055-1

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or bypass of the same-origin policy.

https://security-tracker.debian.org/tracker/DSA-6054-1