Debian Security

It was discovered that the symlink validation in node-tar-fs, a Node.js module that provides filesystem-like access to tar files, could be bypassed.

https://security-tracker.debian.org/tracker/DSA-6013-1

Firefox 140.3.1 has been released, which fixes connection errors with some sites; if HTTP/3 connections failed, the fallback is now handled more gracefully.

https://security-tracker.debian.org/tracker/DSA-6003-2

Eugene Medvedev discovered that nncp, a package facilitating secure store-and-forward file and mail exchange, was susceptible to path traversal with the freq and file commands.

https://security-tracker.debian.org/tracker/DSA-6012-1

Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code.

Debian follows the Thunderbird upstream releases. Support for the 128.x series has ended, so starting with this update we're now following the 140.x series.

https://security-tracker.debian.org/tracker/DSA-6011-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-6010-1

The update for libxslt announced in DSA 5979-1 introduced a regression while back porting the upstream deterministic generate-id implementation, which makes the generated IDs may remain in a non-deterministic order.

https://security-tracker.debian.org/tracker/DSA-5979-2

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

https://security-tracker.debian.org/tracker/DSA-6009-1

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

https://security-tracker.debian.org/tracker/DSA-6008-1

Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed.

https://security-tracker.debian.org/tracker/DSA-6007-1

This update for Jetty, a Java servlet engine and web server, addresses a protocol-level vulnerability in HTTP/2 support also referred to as "MadeYouReset".

https://security-tracker.debian.org/tracker/DSA-6006-1

This update for Jetty, a Java servlet engine and web server, addresses a protocol-level vulnerability in HTTP/2 support also referred to as "MadeYouReset".

https://security-tracker.debian.org/tracker/DSA-6005-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. Google is aware that an exploit for CVE-2025-10585 exists in the wild.

https://security-tracker.debian.org/tracker/DSA-6004-1

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape, information disclosure or bypass of the same-origin policy.

Debian follows the extended support releases (ESR) of Firefox. So starting with this update we're now following the 140.x releases.

Between 128.x and 140.x, Firefox has seen a number of feature updates. For more information please refer to https://www.firefox.com/en-US/firefox/140.0esr/releasenotes/

https://security-tracker.debian.org/tracker/DSA-6003-1

It was discovered that Node sha.js, an implementation of the SHA family hash functions in pure JavaScript, performed incomplete type checks.

https://security-tracker.debian.org/tracker/DSA-6002-1