Debian GNU/Linux 8 (Jessie), 9 (Stretch), and 10 (Buster) Extended LTS:
ELA-1397-1 libmodbus security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4129-1] libapache2-mod-auth-openidc security update
Debian GNU/Linux 12 (Bookworm):
[DSA 5903-1] chromium security update
[DSA 5905-1] graphicsmagick security update
[DSA 5904-1] libapache2-mod-auth-openidc security update
[SECURITY] [DSA 5903-1] chromium security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5903-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
April 17, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : chromium
CVE ID : CVE-2025-3619 CVE-2025-3620
Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.
For the stable distribution (bookworm), these problems have been fixed in
version 135.0.7049.95-1~deb12u1.
We recommend that you upgrade your chromium packages.
For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DLA 4129-1] libapache2-mod-auth-openidc security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4129-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Moritz Schlarb
April 17, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : libapache2-mod-auth-openidc
Version : 2.4.9.4-0+deb11u5
CVE ID : CVE-2025-31492
Debian Bug : 1102413
A vulnerability has been fixed in mod_auth_openidc, an OpenID Certified
authentication and authorization module for the Apache 2.x HTTP server
that implements the OpenID Connect Relying Party functionality.
The bug in mod_auth_openidc results in disclosure of protected content to
unauthenticated users.
The conditions for disclosure are the following directives:
OIDCProviderAuthRequestMethod POST
Require valid-user
and there mustn't be any application-level gateway (or load balancer etc)
protecting the server.
When you request a protected resource, the response includes the HTTP
status, the HTTP headers, the intended response (the self-submitting
form), *and the protected resource (with no headers)*.
The patch fixing this issue has been backported from mod_auth_openidc
2.4.16.11.
For Debian 11 bullseye, this problem has been fixed in version
2.4.9.4-0+deb11u5.
We recommend that you upgrade your libapache2-mod-auth-openidc packages.
For the detailed security status of libapache2-mod-auth-openidc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libapache2-mod-auth-openidc
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1397-1 libmodbus security update
Package : libmodbus
Version : 3.0.6-1+deb8u2 (jessie), 3.0.6-2+deb9u2 (stretch), 3.1.4-2+deb10u3 (buster)
Related CVEs :
CVE-2024-10918
Stack-based Buffer Overflow vulnerability in libmodbus v3.1.10
allows to overflow the buffer allocated for the Modbus response
the function tries to reply to a Modbus request with an unexpect
length.ELA-1397-1 libmodbus security update
[SECURITY] [DSA 5905-1] graphicsmagick security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5905-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
April 17, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : graphicsmagick
CVE ID : CVE-2025-27795 CVE-2025-32460
Debian Bug : 1099955
Two vulnerabilities have been discovered in GraphicsMagick, a set of
ommand-line applications to manipulate image files, which may result in
denial of service or the execution of arbitrary code if malformed image
files are processed.
For the stable distribution (bookworm), these problems have been fixed
in version 1.4+really1.3.40-4+deb12u1.
We recommend that you upgrade your graphicsmagick packages.
For the detailed security status of graphicsmagick please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/graphicsmagick
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 5904-1] libapache2-mod-auth-openidc security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5904-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 17, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : libapache2-mod-auth-openidc
CVE ID : CVE-2025-31492
It was discovered that mod_auth_openidc, an OpenID Certified
authentication and authorization module for the Apache HTTP server that
implements the OpenID Connect Relying Party functionality, was
susceptible to information disclosure in some configurations
For the stable distribution (bookworm), this problem has been fixed in
version 2.4.12.3-2+deb12u3.
We recommend that you upgrade your libapache2-mod-auth-openidc packages.
For the detailed security status of libapache2-mod-auth-openidc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libapache2-mod-auth-openidc
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
