Debian GNU/Linux 8 (Jessie) and 9 (Stretch) Extended LTS:
ELA-1331-1 dnsmasq security update
Debian GNU/Linux 8 (Jessie), 9 (Stretch), and 10 (Buster) Extended LTS:
ELA-1336-1 libtasn1-6 security update
ELA-1337-1 xorg-server security update
Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-822-2 amanda regression security update
Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1334-1 emacs security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4073-1] ffmpeg security update
[DLA 4072-1] xorg-server security update
Debian GNU/Linux 12 (Bookworm):
[DSA 5872-1] xorg-server security update
ELA-1334-1 emacs security update
Package : emacs
Version : 1:26.1+1-3.2+deb10u7 (buster)
Related CVEs :
CVE-2024-53920
CVE-2025-1244
Multiple problems were discovered in GNU Emacs, the extensible, customisable,
self-documenting real-time display editor.
CVE-2024-53920
Several ways to trigger arbitrary code execution were discovered in Emacs’s
support for editing files in its own dialect of Lisp. These include arbitrary
code execution upon opening an otherwise innocent-looking file, with any (or
no) file extension, for editing.
CVE-2025-1244
Improper handling of custom ‘man’ URI schemes could allow an attacker to
execute arbitrary shell commands by tricking users into visiting a specially
crafted website, or an HTTP URL with a redirect.ELA-1334-1 emacs security update
ELA-1331-1 dnsmasq security update
Package : dnsmasq
Version : 2.72-3+deb8u8 (jessie), 2.76-5+deb9u5 (stretch)
Related CVEs :
CVE-2023-50387
CVE-2023-50868
Two vulnerabilities were found in dnsmasq, a small caching DNS proxy and
DHCP/TFTP server, which could lead to denial of service by querying specially
crafted DNS resource records in control of an attacker.
CVE-2023-50387
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840,
and related RFCs) allow remote attackers to cause a denial of service (CPU
consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One
of the concerns is that, when there is a zone with many DNSKEY and RRSIG
records, the protocol specification implies that an algorithm must evaluate
all combinations of DNSKEY and RRSIG records.
CVE-2023-50868
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC
9276 guidance is skipped) allows remote attackers to cause a denial of
service (CPU consumption for SHA-1 computations) via DNSSEC responses in a
random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification
implies that an algorithm must perform thousands of iterations of a hash
function in certain situations.
For jessie and stretch, DNSSEC support has been disabled, as a backport of the
fix was deemed too disruptive. Administrators can still validate DNS lookups on
downstream clients by installing a validating resolver there. For administrators
that require DNSSEC support in dnsmasq, we recommend upgrading to at least
buster.ELA-1331-1 dnsmasq security update
ELA-1336-1 libtasn1-6 security update
Package : libtasn1-6
Version : 4.2-3+deb8u6 (jessie), 4.10-1.1+deb9u3 (stretch), 4.13-3+deb10u2 (buster)
Related CVEs :
CVE-2024-12133
Bing Shi discovered that certificate data with a large number of names
or name constraints were handled inefficiently, which may lead to Denial
of Service upon specially crafted certificates.ELA-1336-1 libtasn1-6 security update
[SECURITY] [DSA 5872-1] xorg-server security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5872-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 28, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : xorg-server
CVE ID : CVE-2025-26594 CVE-2025-26595 CVE-2025-26596 CVE-2025-26597
CVE-2025-26598 CVE-2025-26599 CVE-2025-26600 CVE-2025-26601
Debian Bug : 1098906
Jan-Niklas Sohn discovered several vulnerabilities in the Xorg X server,
which may result in privilege escalation if the X server is running
privileged.
For the stable distribution (bookworm), these problems have been fixed in
version 2:21.1.7-3+deb12u9.
We recommend that you upgrade your xorg-server packages.
For the detailed security status of xorg-server please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/xorg-server
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DLA 4073-1] ffmpeg security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4073-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
March 01, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : ffmpeg
Version : 7:4.3.8-0+deb11u3
CVE ID : CVE-2025-0518 CVE-2025-22919 CVE-2025-22921
Several issues have been found in ffmpeg, a package of tools for
transcoding, streaming and playing of multimedia files.
The issues are related to out-of-bounds read, assert errors and NULL
pointer dereferences.
For Debian 11 bullseye, these problems have been fixed in version
7:4.3.8-0+deb11u3.
We recommend that you upgrade your ffmpeg packages.
For the detailed security status of ffmpeg please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ffmpeg
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4072-1] xorg-server security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4072-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
March 01, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : xorg-server
Version : 2:1.20.11-1+deb11u15
CVE ID : CVE-2025-26594 CVE-2025-26595 CVE-2025-26596
CVE-2025-26597 CVE-2025-26598 CVE-2025-26599
CVE-2025-26600 CVE-2025-26601
Jan-Niklas Sohn discovered several vulnerabilities in the Xorg X server,
which may result in privilege escalation if the X server is running
privileged.
For Debian 11 bullseye, these problems have been fixed in version
2:1.20.11-1+deb11u15.
We recommend that you upgrade your xorg-server packages.
For the detailed security status of xorg-server please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/xorg-server
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1337-1 xorg-server security update
Package : xorg-server
Version : 2:1.16.4-1+deb8u18 (jessie), 2:1.19.2-1+deb9u21 (stretch), 2:1.20.4-1+deb10u16 (buster)
Related CVEs :
CVE-2025-26594
CVE-2025-26595
CVE-2025-26596
CVE-2025-26597
CVE-2025-26598
CVE-2025-26599
CVE-2025-26600
CVE-2025-26601
Jan-Niklas Sohn discovered several vulnerabilities in the Xorg X server,
which may result in privilege escalation if the X server is running
privileged.ELA-1337-1 xorg-server security update
ELA-822-2 regression security update
Package : regression
Version : 1:3.3.9-5+deb9u3 (stretch)
A fix of CVE-2022-37704 for amanda, the Advanced Maryland Automatic Network Disk Archiver, has been found incomplete.
This update fixes handling of RSH environment variables and uses a correct check for dump/xfsdump.ELA-822-2 regression security update
