Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1355-1 lighttpd security update
Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1354-1 ruby-rack security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4089-1] libxslt security update
[DLA 4090-1] ruby-rack security update
[SECURITY] [DLA 4089-1] libxslt security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4089-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
March 24, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : libxslt
Version : 1.1.34-4+deb11u2
CVE ID : CVE-2024-55549 CVE-2025-24855
Debian Bug : 1100565 1100566
Two use-after-free vulnerabilities have been fixed in the XSLT
processing library libxslt.
CVE-2024-55549
Use-after-free related to excluded namespaces
CVE-2025-24855
Use-after-free of XPath context node
For Debian 11 bullseye, these problems have been fixed in version
1.1.34-4+deb11u2.
We recommend that you upgrade your libxslt packages.
For the detailed security status of libxslt please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libxslt
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4090-1] ruby-rack security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4090-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
March 24, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : ruby-rack
Version : 2.1.4-3+deb11u3
CVE ID : CVE-2025-25184 CVE-2025-27111 CVE-2025-27610
Debian Bug : 1098257 1099546 1100444
Multiple vulnerabilities have been fixed in ruby-rack,
an interface for developing web applications in Ruby.
CVE-2025-25184
Log Injection in Rack::CommonLogger
CVE-2025-27111
Log Injection in Rack::Sendfile
CVE-2025-27610
Local file inclusion in Rack::Static
For Debian 11 bullseye, these problems have been fixed in version
2.1.4-3+deb11u3.
We recommend that you upgrade your ruby-rack packages.
For the detailed security status of ruby-rack please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-rack
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1355-1 lighttpd security update
Package : lighttpd
Version : 1.4.45-1+deb9u2 (stretch)
Related CVEs :
CVE-2018-25103
Fix use-after-free vulnerabilities in request parsing which might read from
invalid pointers to memory used in the same request, not from other requests.ELA-1355-1 lighttpd security update
ELA-1354-1 ruby-rack security update
Package : ruby-rack
Version : 1.6.4-4+deb9u7 (stretch), 2.0.6-3+deb10u5 (buster)
Related CVEs :
CVE-2025-25184
CVE-2025-27111
CVE-2025-27610
Multiple vulnerabilities have been fixed in ruby-rack, an interface for developing web applications in Ruby.
CVE-2025-25184
Log Injection in Rack::CommonLogger
CVE-2025-27111
Log Injection in Rack::Sendfile
CVE-2025-27610
Local file inclusion in Rack::StaticELA-1354-1 ruby-rack security update
