Debian GNU/Linux 8 (Jessie) ELTS:
ELA-1385-1 php5 security update
Debian GNU/Linux 9 (Stretch) ELTS:
ELA-1384-1 php7.0 security update
Debian GNU/Linux 10 (Buster) ELTS:
ELA-1383-1 php7.3 security update
Debian GNU/Linux 12 (Bookworm):
[DSA 5899-1] webkit2gtk security update
[SECURITY] [DSA 5899-1] webkit2gtk security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5899-1 security@debian.org
https://www.debian.org/security/ Alberto Garcia
April 10, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : webkit2gtk
CVE ID : CVE-2024-54551 CVE-2025-24208 CVE-2025-24209 CVE-2025-24213
CVE-2025-24216 CVE-2025-24264 CVE-2025-30427
The following vulnerabilities have been discovered in the WebKitGTK
web engine:
CVE-2024-54551
ajajfxhj discovered that processing web content may lead to a
denial-of-service.
CVE-2025-24208
Muhammad Zaid Ghifari and Kalimantan Utara discovered that loading
a malicious iframe may lead to a cross-site scripting attack.
CVE-2025-24209
Francisco Alonso and an anonymous researcher discovered that
processing maliciously crafted web content may lead to an
unexpected process crash.
CVE-2025-24213
The Google V8 Security Team discovered that a type confusion issue
could lead to memory corruption. Note that this CVE is fixed only
on ARM architectures. x86_64 is not vulnerable, x86 is not
vulnerable when the SSE2 instruction set is enabled; but other
architectures remain vulnerable.
CVE-2025-24216
Paul Bakker discovered that processing maliciously crafted web
content may lead to an unexpected Safari crash.
CVE-2025-24264
Gary Kwong and an anonymous researcher discovered that processing
maliciously crafted web content may lead to an unexpected crash.
CVE-2025-30427
rheza discovered that processing maliciously crafted web content
may lead to an unexpected crash.
For the stable distribution (bookworm), these problems have been fixed in
version 2.48.1-2~deb12u1.
We recommend that you upgrade your webkit2gtk packages.
For the detailed security status of webkit2gtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/webkit2gtk
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
ELA-1385-1 php5 security update
Package : php5
Version : 5.6.40+dfsg-0+deb8u23 (jessie)
Related CVEs :
CVE-2025-1217
CVE-2025-1219
CVE-2025-1734
CVE-2025-1736
CVE-2025-1861
CVE-2025-1217
Tim Düsterhus discovered that the header parser of the http stream
wrapper does not handle folded headers and passes incorrect MIME
types to an attached stream notifier.
CVE-2025-1219
Tim Düsterhus discovered that when requesting a HTTP resource using
the DOM or SimpleXML extensions, the wrong content-type header is
used to determine the charset when the requested resource performs a
redirect. This allows an attacker to cause a document to be parsed
incorrectly, changing its meaning and possibly bypassing validation.
CVE-2025-1734
It was discovered that the streams HTTP wrapper does not fail for
headers with invalid name and no colon, thereby violating
RFC-mandated behavior and potentially leading to request smuggling.
CVE-2025-1736
It was discovered that the stream HTTP wrapper header check might
omit basic auth header in some cases, thereby stripping it.
CVE-2025-1861
It was discovered that the stream HTTP wrapper truncate redirect
location to 1024 bytes, while the RFC-recommended length is 8000 and
browsers usually limit to around 2048.
The URI truncation might result in omitting some critical
information (e.g. from the query) or even redirection to other
resources. It could even result in DOS of the remote site if the
trucated URL results in error.
ELA-1385-1 php5 security update
ELA-1384-1 php7.0 security update
Package : php7.0
Version : 7.0.33-0+deb9u21 (stretch)
Related CVEs :
CVE-2025-1217
CVE-2025-1219
CVE-2025-1734
CVE-2025-1736
CVE-2025-1861
CVE-2025-1217
Tim Düsterhus discovered that the header parser of the http stream
wrapper does not handle folded headers and passes incorrect MIME
types to an attached stream notifier.
CVE-2025-1219
Tim Düsterhus discovered that when requesting a HTTP resource using
the DOM or SimpleXML extensions, the wrong content-type header is
used to determine the charset when the requested resource performs a
redirect. This allows an attacker to cause a document to be parsed
incorrectly, changing its meaning and possibly bypassing validation.
CVE-2025-1734
It was discovered that the streams HTTP wrapper does not fail for
headers with invalid name and no colon, thereby violating
RFC-mandated behavior and potentially leading to request smuggling.
CVE-2025-1736
It was discovered that the stream HTTP wrapper header check might
omit basic auth header in some cases, thereby stripping it.
CVE-2025-1861
It was discovered that the stream HTTP wrapper truncate redirect
location to 1024 bytes, while the RFC-recommended length is 8000 and
browsers usually limit to around 2048.
The URI truncation might result in omitting some critical
information (e.g. from the query) or even redirection to other
resources. It could even result in DOS of the remote site if the
trucated URL results in error.
GHSA-wg4p-4hqh-c3g9
An out of bound read was discovered in the XML parsing logic when
XML_OPTION_SKIP_TAGSTART is set to a high value and the XML
document has shorter tag names than expected. (No CVE was assigned
for this vulnerability at the time of writing.)
ELA-1384-1 php7.0 security update
ELA-1383-1 php7.3 security update
Package : php7.3
Version : 7.3.31-1~deb10u10 (buster)
Related CVEs :
CVE-2025-1217
CVE-2025-1219
CVE-2025-1734
CVE-2025-1736
CVE-2025-1861
CVE-2025-1217
Tim Düsterhus discovered that the header parser of the http stream
wrapper does not handle folded headers and passes incorrect MIME
types to an attached stream notifier.
CVE-2025-1219
Tim Düsterhus discovered that when requesting a HTTP resource using
the DOM or SimpleXML extensions, the wrong content-type header is
used to determine the charset when the requested resource performs a
redirect. This allows an attacker to cause a document to be parsed
incorrectly, changing its meaning and possibly bypassing validation.
CVE-2025-1734
It was discovered that the streams HTTP wrapper does not fail for
headers with invalid name and no colon, thereby violating
RFC-mandated behavior and potentially leading to request smuggling.
CVE-2025-1736
It was discovered that the stream HTTP wrapper header check might
omit basic auth header in some cases, thereby stripping it.
CVE-2025-1861
It was discovered that the stream HTTP wrapper truncate redirect
location to 1024 bytes, while the RFC-recommended length is 8000 and
browsers usually limit to around 2048.
The URI truncation might result in omitting some critical
information (e.g. from the query) or even redirection to other
resources. It could even result in DOS of the remote site if the
trucated URL results in error.
GHSA-wg4p-4hqh-c3g9
An out of bound read was discovered in the XML parsing logic when
XML_OPTION_SKIP_TAGSTART is set to a high value and the XML
document has shorter tag names than expected. (No CVE was assigned
for this vulnerability at the time of writing.)
ELA-1383-1 php7.3 security update
