Debian Security

The update for libxslt announced in DSA 5979-1 introduced a regression while back porting the upstream deterministic generate-id implementation, which makes the generated IDs may remain in a non-deterministic order.

https://security-tracker.debian.org/tracker/DSA-5979-2

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

https://security-tracker.debian.org/tracker/DSA-6009-1

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

https://security-tracker.debian.org/tracker/DSA-6008-1

Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed.

https://security-tracker.debian.org/tracker/DSA-6007-1

This update for Jetty, a Java servlet engine and web server, addresses a protocol-level vulnerability in HTTP/2 support also referred to as "MadeYouReset".

https://security-tracker.debian.org/tracker/DSA-6006-1

This update for Jetty, a Java servlet engine and web server, addresses a protocol-level vulnerability in HTTP/2 support also referred to as "MadeYouReset".

https://security-tracker.debian.org/tracker/DSA-6005-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. Google is aware that an exploit for CVE-2025-10585 exists in the wild.

https://security-tracker.debian.org/tracker/DSA-6004-1

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape, information disclosure or bypass of the same-origin policy.

Debian follows the extended support releases (ESR) of Firefox. So starting with this update we're now following the 140.x releases.

Between 128.x and 140.x, Firefox has seen a number of feature updates. For more information please refer to https://www.firefox.com/en-US/firefox/140.0esr/releasenotes/

https://security-tracker.debian.org/tracker/DSA-6003-1

It was discovered that Node sha.js, an implementation of the SHA family hash functions in pure JavaScript, performed incomplete type checks.

https://security-tracker.debian.org/tracker/DSA-6002-1

It was discovered that cJSON, an ultralightweight JSON parser, performed insufficient input sanitising, which could result in out-of-bounds memory access.

https://security-tracker.debian.org/tracker/DSA-6001-1

Multiple memory corruption vulnerbilities were discovered in imagemagick, a software suit used for editing and manipulating digital images, which could lead to information leak, denial of service, and potentially arbitrary code execution.

https://security-tracker.debian.org/tracker/DSA-5997-1

Michael Hudak discovered a flaw in libcpanel-json-xs-perl, a module for fast and correct serialising to JSON. An integer buffer overflow causing a segfault when parsing specially crafted JSON, may allow an attacker to mount a denial-of-service attack or cause other unspecified impact.

https://security-tracker.debian.org/tracker/DSA-6000-1

Michael Hudak discovered a flaw in libjson-xs-perl, a module for manipulating JSON-formatted data. An integer buffer overflow causing a segfault when parsing specially crafted JSON, may allow an attacker to mount a denial-of-service attack or cause other unspecified impact.

https://security-tracker.debian.org/tracker/DSA-5999-1

Two vulnerabilities were discovered in cups, the Common UNIX Printing System, which may result in authentication bypass with AuthType Negotiate or in denial of service (daemon crash).

https://security-tracker.debian.org/tracker/DSA-5998-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5996-1

Gregor Kopf of Secfault Security GmbH discovered that HSQLDB, a Java SQL database engine, allowed the execution of spurious scripting commands in .script and .log files. Hsqldb supports a "SCRIPT" keyword which is normally used to record the commands input by the database admin to output such a script. In combination with LibreOffice, an attacker could craft an odb containing a "database/script" file which itself contained a SCRIPT command where the contents of the file could be written to a new file whose location was determined by the attacker.

https://security-tracker.debian.org/tracker/DSA-5995-1

Florian Stuhlmann discovered a SQL vulnerability in the ODBC plugin in the Shibboleth Service Provider which may result in information leak.

For additional information please refer to the upstream advisory at https://shibboleth.net/community/advisories/secadv_20250903.txt

https://security-tracker.debian.org/tracker/DSA-5994-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5993-1

Two vulnerabilities were discovered in the Firebird database, which may result in denial of service or authentication bypass.

https://security-tracker.debian.org/tracker/DSA-5992-1

Multiple vulnerabilities were discovered in Node.js, which could result in denial of service, HTTP request smuggling, privilege escalation, a side channel attack against PKCS#1 1.5 or a bypass of network import restrictions.

https://security-tracker.debian.org/tracker/DSA-5991-1