Debian GNU/Linux 10 (Buster) LTS:
ELA-1373-1 php-horde-turba regression update
ELA-1372-1 php-horde-imp security update
ELA-1371-1 php-horde-editor security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4113-1] php-horde-imp security update
[DLA 4112-1] php-horde-editor - switch to CKEditor 4
Debian GNU/Linux 12 (Bookworm):
[DSA 5891-1] thunderbird security update
[DSA 5890-1] chromium security update
[DSA 5892-1] atop security update
[SECURITY] [DSA 5891-1] thunderbird security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5891-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 03, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : thunderbird
CVE ID : CVE-2025-3028 CVE-2025-3029 CVE-2025-3030
Multiple security issues were discovered in Thunderbird, which could
result in denial of service or the execution of arbitrary code.
For the stable distribution (bookworm), these problems have been fixed in
version 1:128.9.0esr-1~deb12u1.
We recommend that you upgrade your thunderbird packages.
For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DLA 4113-1] php-horde-imp security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4113-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sylvain Beucler
April 03, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : php-horde-imp
Version : 6.2.27-2+deb11u1
CVE ID : CVE-2025-30349
Debian Bug : 1042715
An XSS vulnerability was discovered in Horde IMP, the webmail
component of the Horde groupware platform. An attacker could hijack a
user session by sending a crafted e-mail to an IMP user.
Additionally, adjustments were made to handle the move to CKEditor v4
(see DLA-4112-1).
For Debian 11 bullseye, this problem has been fixed in version
6.2.27-2+deb11u1.
We recommend that you upgrade your php-horde-imp packages.
For the detailed security status of php-horde-imp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php-horde-imp
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4112-1] php-horde-editor - switch to CKEditor 4
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4112-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sylvain Beucler
April 03, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : php-horde-editor
Version : 2.0.5+debian0-5+deb11u1
Debian Bug : 1042715
Horde Editor, the HTML editor for the Horde groupware platform,
typically used in its IMP webmail component, relies on CKEditor v3.
CKEditor v3 reached EOL and is not supported in Debian bullseye.
This updates upgrades to CKEditor v4, as a first step to move to
CKEditor v5.
For Debian 11 bullseye, this problem has been fixed in version
2.0.5+debian0-5+deb11u1.
We recommend that you upgrade your php-horde-editor packages.
For the detailed security status of php-horde-editor please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php-horde-editor
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 5890-1] chromium security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5890-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
April 03, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : chromium
CVE ID : CVE-2025-3066 CVE-2025-3067 CVE-2025-3068 CVE-2025-3069
CVE-2025-3070 CVE-2025-3071 CVE-2025-3072 CVE-2025-3073
CVE-2025-3074
Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.
For the stable distribution (bookworm), these problems have been fixed in
version 135.0.7049.52-1~deb12u1.
We recommend that you upgrade your chromium packages.
For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 5892-1] atop security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5892-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 03, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : atop
CVE ID : CVE-2025-31160
It was discovered that Atop, a monitor tool for system resources and
process activity, always tried to connect to the port of atopgpud
(an additional daemon gathering GPU statistics not shipped in Debian)
while performing insufficient sanitising of the data read from this
port.
With this update, additional validation is added and by default atop
no longer tries to connect to the atopgpud daemon port unless explicitly
enabled via -k.
For the stable distribution (bookworm), this problem has been fixed in
version 2.8.1-1+deb12u1.
We recommend that you upgrade your atop packages.
For the detailed security status of atop please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/atop
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
ELA-1373-1 php-horde-turba regression update
Package : php-horde-turba
Version : 4.2.23-1+deb10u2 (buster)
An error was introduced while fixing CVE-2022-30287 in Horde Turba, an
address book component for the Horde groupware suite, see DLA 3090-1:
https://lists.debian.org/debian-lts-announce/2022/08/msg00022.html
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019153
Note: while php-horde-turba is currently not supported, this update
both fixes a regression and an issue on installation that hinders
testing other supported php-horde-* packages.ELA-1373-1 php-horde-turba regression update
ELA-1372-1 php-horde-imp security update
Package : php-horde-imp
Version : 6.2.22-1+deb10u1 (buster)
Horde Editor, the HTML editor for the Horde groupware platform, relies
on CKEditor v3. CKEditor v3 reached EOL and is not supported in
Debian buster ELTS. This updates upgrades to CKEditor v4, as a first
step to move to CKEditor v5.
Note: while php-horde-imp is currently not supported, this update is
necessary to complete the CKEditor upgrade in php-horde-editor, which
is supported, see ELA-1371-1.ELA-1372-1 php-horde-imp security update
ELA-1371-1 php-horde-editor security update
Package : php-horde-editor
Version : 2.0.5+debian0-2+deb10u1 (buster)
Horde Editor, the HTML editor for the Horde groupware platform, relies
on CKEditor v3. CKEditor v3 reached EOL and is not supported in
Debian buster ELTS. This updates upgrades to CKEditor v4, as a first
step to move to CKEditor v5.ELA-1371-1 php-horde-editor security update
