NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

Remediation

There is no fixed version for Debian:12 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2019-1010022
• https://sourceware.org/bugzilla/show_bug.cgi?id=22850
• https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3
• https://ubuntu.com/security/CVE-2019-1010022

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.

Remediation

There is no fixed version for Debian:12 tar.

References

• https://security-tracker.debian.org/tracker/CVE-2005-2541
• http://marc.info/?l=bugtraq&m=112327628230258&w=2
• https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c@%3Cissues.guacamole.apache.org%3E
• https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c%40%3Cissues.guacamole.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite3 package and not the sqlite3 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

An integer overflow in the sqlite3KeyInfoFromExprList function in SQLite versions 3.39.2 through 3.41.1 allows an attacker with the ability to execute arbitrary SQL statements to cause a denial of service or disclose sensitive information from process memory via a crafted SELECT statement with a large number of expressions in the ORDER BY clause.

Remediation

There is no fixed version for Debian:12 sqlite3.

References

• https://security-tracker.debian.org/tracker/CVE-2025-7458
• https://sqlite.org/forum/forumpost/16ce2bb7a639e29b
• https://sqlite.org/src/info/12ad822d9b827777

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Git is a source code management tool. When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that can be used by a malicious actor to hide and misrepresent information, or to mislead the user into executing untrusted scripts. As requested on the git-security mailing list, the patches are under discussion on the public mailing list. Users are advised to update as soon as possible. Users unable to upgrade should avoid recursive clones unless they are from trusted sources.

Remediation

There is no fixed version for Debian:12 git.

References

• https://security-tracker.debian.org/tracker/CVE-2024-52005
• https://github.com/git/git/security/advisories/GHSA-7jjc-gg6m-3329
• https://lore.kernel.org/git/1M9FnZ-1taoNo1wwh-00ESSd@mail.gmx.net

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

Remediation

There is no fixed version for Debian:12 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2019-1010023
• https://support.f5.com/csp/article/K11932200?utm_source=f5support&utm_medium=RSS
• https://sourceware.org/bugzilla/show_bug.cgi?id=22851
• http://www.securityfocus.com/bid/109167
• https://ubuntu.com/security/CVE-2019-1010023
• https://support.f5.com/csp/article/K11932200?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.

Remediation

There is no fixed version for Debian:12 perl.

References

• https://security-tracker.debian.org/tracker/CVE-2023-31486
• https://security.netapp.com/advisory/ntap-20241129-0011/
• http://www.openwall.com/lists/oss-security/2023/04/29/1
• http://www.openwall.com/lists/oss-security/2023/05/03/3
• http://www.openwall.com/lists/oss-security/2023/05/03/5
• http://www.openwall.com/lists/oss-security/2023/05/07/2
• https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/
• https://github.com/chansen/p5-http-tiny/pull/153
• https://hackeriet.github.io/cpan-http-tiny-overview/
• https://www.openwall.com/lists/oss-security/2023/04/18/14
• https://www.openwall.com/lists/oss-security/2023/05/03/4
• https://www.reddit.com/r/perl/comments/111tadi/psa_httptiny_disabled_ssl_verification_by_default/

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).

Remediation

There is no fixed version for Debian:12 expat.

References

• https://security-tracker.debian.org/tracker/CVE-2024-28757
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FPLC6WDSRDUYS7F7JWAOVOHFNOUQ43DD/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VK2O34GH43NTHBZBN7G5Y6YKJKPUCTBE/
• http://www.openwall.com/lists/oss-security/2024/03/15/1
• https://github.com/libexpat/libexpat/issues/839
• https://github.com/libexpat/libexpat/pull/842
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPLC6WDSRDUYS7F7JWAOVOHFNOUQ43DD/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKJ7V5F6LJCEQJXDBWGT27J7NAP3E3N7/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VK2O34GH43NTHBZBN7G5Y6YKJKPUCTBE/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKJ7V5F6LJCEQJXDBWGT27J7NAP3E3N7/
• https://security.netapp.com/advisory/ntap-20240322-0001/

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the "GitBleed" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option. Note: This has been disputed by multiple 3rd parties who believe this is an intended feature of the git binary and does not pose a security risk.

Remediation

There is no fixed version for Debian:12 git.

References

• https://security-tracker.debian.org/tracker/CVE-2022-24975
• https://lore.kernel.org/git/xmqq4k14qe9g.fsf%40gitster.g/
• https://github.com/git/git/blob/2dc94da3744bfbbf145eca587a0f5ff480cc5867/Documentation/git-clone.txt#L185-L191
• https://www.aquasec.com/blog/undetected-hard-code-secrets-expose-corporations/
• https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\1\1|t1|\\2537)+' in grep.

Remediation

There is no fixed version for Debian:12 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2018-20796
• https://support.f5.com/csp/article/K26346590?utm_source=f5support&utm_medium=RSS
• https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141
• https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html
• https://security.netapp.com/advisory/ntap-20190315-0002/
• http://www.securityfocus.com/bid/107160
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20796
• https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\1\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern

Remediation

There is no fixed version for Debian:12 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2019-9192
• https://support.f5.com/csp/article/K26346590?utm_source=f5support&utm_medium=RSS
• https://sourceware.org/bugzilla/show_bug.cgi?id=24269
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9192
• https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

Remediation

There is no fixed version for Debian:12 krb5.

References

• https://security-tracker.debian.org/tracker/CVE-2018-5709
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5709
• https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-5709
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.

Remediation

There is no fixed version for Debian:12 libgcrypt20.

References

• https://security-tracker.debian.org/tracker/CVE-2018-6829
• https://github.com/weikengchen/attack-on-libgcrypt-elgamal
• https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki
• https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html
• https://www.oracle.com/security-alerts/cpujan2020.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors.

Remediation

There is no fixed version for Debian:12 openldap.

References

• https://security-tracker.debian.org/tracker/CVE-2015-3276
• http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
• https://bugzilla.redhat.com/show_bug.cgi?id=1238322
• http://rhn.redhat.com/errata/RHSA-2015-2131.html
• http://www.securitytracker.com/id/1034221
• https://access.redhat.com/errata/RHSA-2015:2131
• https://access.redhat.com/security/cve/CVE-2015-3276

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.

Remediation

There is no fixed version for Debian:12 openldap.

References

• https://security-tracker.debian.org/tracker/CVE-2023-2953
• http://seclists.org/fulldisclosure/2023/Jul/47
• http://seclists.org/fulldisclosure/2023/Jul/48
• http://seclists.org/fulldisclosure/2023/Jul/52
• https://access.redhat.com/security/cve/CVE-2023-2953
• https://bugs.openldap.org/show_bug.cgi?id=9904
• https://security.netapp.com/advisory/ntap-20230703-0005/
• https://support.apple.com/kb/HT213843
• https://support.apple.com/kb/HT213844
• https://support.apple.com/kb/HT213845

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation.

Remediation

There is no fixed version for Debian:12 openldap.

References

• https://security-tracker.debian.org/tracker/CVE-2017-17740
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17740
• http://www.openldap.org/its/index.cgi/Incoming?id=8759
• http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00053.html
• http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00058.html
• https://kc.mcafee.com/corporate/index?page=content&id=SB10365
• https://www.oracle.com/security-alerts/cpuapr2022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.11 package and not the python3.11 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.

Remediation

There is no fixed version for Debian:12 python3.11.

References

• https://security-tracker.debian.org/tracker/CVE-2025-13836
• https://github.com/python/cpython/commit/14b1fdb0a94b96f86fc7b86671ea9582b8676628
• https://github.com/python/cpython/commit/289f29b0fe38baf2d7cb5854f4bb573cc34a6a15
• https://github.com/python/cpython/commit/4ce27904b597c77d74dd93f2c912676021a99155
• https://github.com/python/cpython/commit/5a4c4a033a4a54481be6870aa1896fad732555b5
• https://github.com/python/cpython/issues/119451
• https://github.com/python/cpython/pull/119454
• https://mail.python.org/archives/list/security-announce@python.org/thread/OQ6G7MKRQIS3OAREC3HNG3D2DPOU34XO/
• https://github.com/python/cpython/commit/5dc101675fd22918facbbe0fecdc821502beaaf0
• https://github.com/python/cpython/commit/afc40bdd3dd71f343fd9016f6d8eebbacbd6587c

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."

Remediation

There is no fixed version for Debian:12 openssh.

References

• https://security-tracker.debian.org/tracker/CVE-2020-15778
• https://security.netapp.com/advisory/ntap-20200731-0007/
• https://github.com/cpandya2909/CVE-2020-15778/
• https://news.ycombinator.com/item?id=25005567
• https://www.openssh.com/security.html
• https://github.com/cpandya2909/CVE-2020-15778#example
• https://access.redhat.com/errata/RHSA-2024:3166
• https://security.gentoo.org/glsa/202212-06
• https://github.com/Neko-chanQwQ/CVE-2020-15778-Exploit

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.

Remediation

There is no fixed version for Debian:12 openssh.

References

• https://security-tracker.debian.org/tracker/CVE-2019-6110
• https://www.exploit-db.com/exploits/46193/
• https://security.gentoo.org/glsa/201903-16
• https://cvsweb.openbsd.org/src/usr.bin/ssh/progressmeter.c
• https://cvsweb.openbsd.org/src/usr.bin/ssh/scp.c
• https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
• https://security.netapp.com/advisory/ntap-20190213-0001/
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-6110
• https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
• https://www.exploit-db.com/exploits/46516

NVD Description

Note: Versions mentioned in the description apply only to the upstream coreutils package and not the coreutils package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

Remediation

There is no fixed version for Debian:12 coreutils.

References

• https://security-tracker.debian.org/tracker/CVE-2016-2781
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
• http://www.openwall.com/lists/oss-security/2016/02/28/2
• http://www.openwall.com/lists/oss-security/2016/02/28/3
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2781
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().

Remediation

There is no fixed version for Debian:12 ncurses.

References

• https://security-tracker.debian.org/tracker/CVE-2023-50495
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/
• https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00020.html
• https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00029.html
• https://security.netapp.com/advisory/ntap-20240119-0008/

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH snapshot, allows remote authenticated users to obtain access to arbitrary SELinux roles by appending a :/ (colon slash) sequence, followed by the role name, to the username.

Remediation

There is no fixed version for Debian:12 openssh.

References

• https://security-tracker.debian.org/tracker/CVE-2008-3234
• https://www.exploit-db.com/exploits/6094
• http://www.securityfocus.com/bid/30276
• https://exchange.xforce.ibmcloud.com/vulnerabilities/44037

NVD Description

Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.

Remediation

There is no fixed version for Debian:12 shadow.

References

• https://security-tracker.debian.org/tracker/CVE-2007-5686
• http://www.securityfocus.com/archive/1/482129/100/100/threaded
• http://www.securityfocus.com/archive/1/482857/100/0/threaded
• https://issues.rpath.com/browse/RPL-1825
• http://secunia.com/advisories/27215
• http://www.securityfocus.com/bid/26048
• http://www.vupen.com/english/advisories/2007/3474

NVD Description

Note: Versions mentioned in the description apply only to the upstream util-linux package and not the util-linux package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the setpwnam() function, affecting SUID (Set User ID) login-utils utilities writing to the password database.

Remediation

There is no fixed version for Debian:12 util-linux.

References

• https://security-tracker.debian.org/tracker/CVE-2025-14104
• https://access.redhat.com/security/cve/CVE-2025-14104
• https://bugzilla.redhat.com/show_bug.cgi?id=2419369
• https://access.redhat.com/errata/RHSA-2026:1696
• https://access.redhat.com/errata/RHSA-2026:1852
• https://access.redhat.com/errata/RHSA-2026:1913
• https://access.redhat.com/errata/RHSA-2026:2485
• https://access.redhat.com/errata/RHSA-2026:2563
• https://access.redhat.com/errata/RHSA-2026:2737
• https://access.redhat.com/errata/RHSA-2026:2800

NVD Description

Note: Versions mentioned in the description apply only to the upstream wget package and not the wget package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.

Remediation

There is no fixed version for Debian:12 wget.

References

• https://security-tracker.debian.org/tracker/CVE-2021-31879
• https://security.netapp.com/advisory/ntap-20210618-0002/
• https://mail.gnu.org/archive/html/bug-wget/2021-02/msg00002.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.

Remediation

There is no fixed version for Debian:12 openssh.

References

• https://security-tracker.debian.org/tracker/CVE-2020-14145
• https://security.netapp.com/advisory/ntap-20200709-0004/
• https://security.gentoo.org/glsa/202105-35
• https://anongit.mindrot.org/openssh.git/commit/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d
• https://docs.ssh-mitm.at/CVE-2020-14145.html
• https://github.com/openssh/openssh-portable/compare/V_8_3_P1...V_8_4_P1
• https://github.com/ssh-mitm/ssh-mitm/blob/master/ssh_proxy_server/plugins/session/cve202014145.py
• https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-2-ausnutzung-eines-informationslecks-fuer-gezielte-mitm-angriffe-auf-ssh-clients/
• http://www.openwall.com/lists/oss-security/2020/12/02/1

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.

Remediation

There is no fixed version for Debian:12 expat.

References

• https://security-tracker.debian.org/tracker/CVE-2025-66382
• https://github.com/libexpat/libexpat/issues/1076
• http://www.openwall.com/lists/oss-security/2025/12/02/1

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.

Remediation

There is no fixed version for Debian:12 expat.

References

• https://security-tracker.debian.org/tracker/CVE-2023-52426
• https://cwe.mitre.org/data/definitions/776.html
• https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404
• https://github.com/libexpat/libexpat/pull/777
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNUBSGZFEZOBHJFTAD42SAN4ATW2VEMV/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/
• https://security.netapp.com/advisory/ntap-20240307-0005/

NVD Description

Note: Versions mentioned in the description apply only to the upstream gcc-12 package and not the gcc-12 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.

Remediation

There is no fixed version for Debian:12 gcc-12.

References

• https://security-tracker.debian.org/tracker/CVE-2022-27943
• https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/
• https://sourceware.org/bugzilla/show_bug.cgi?id=28995
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.11 package and not the python3.11 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues

Remediation

There is no fixed version for Debian:12 python3.11.

References

• https://security-tracker.debian.org/tracker/CVE-2025-13837
• https://github.com/python/cpython/commit/5a8b19677d818fb41ee55f310233772e15aa1a2b
• https://github.com/python/cpython/commit/694922cf40aa3a28f898b5f5ee08b71b4922df70
• https://github.com/python/cpython/commit/71fa8eb8233b37f16c88b6e3e583b461b205d1ba
• https://github.com/python/cpython/commit/b64441e4852383645af5b435411a6f849dd1b4cb
• https://github.com/python/cpython/issues/119342
• https://github.com/python/cpython/pull/119343
• https://mail.python.org/archives/list/security-announce@python.org/thread/2X5IBCJXRQAZ5PSERLHMSJFBHFR3QM2C/

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.11 package and not the python3.11 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.

Remediation

There is no fixed version for Debian:12 python3.11.

References

• https://security-tracker.debian.org/tracker/CVE-2025-6075
• https://github.com/python/cpython/commit/2e6150adccaaf5bd95d4c19dfd04a36e0b325d8c
• https://github.com/python/cpython/commit/5dceb93486176e6b4a6d9754491005113eb23427
• https://github.com/python/cpython/commit/631ba3407e3348ccd56ce5160c4fb2c5dc5f4d84
• https://github.com/python/cpython/commit/892747b4cf0f95ba8beb51c0d0658bfaa381ebca
• https://github.com/python/cpython/commit/9ab89c026aa9611c4b0b67c288b8303a480fe742
• https://github.com/python/cpython/commit/c8a5f3435c342964e0a432cc9fb448b7dbecd1ba
• https://github.com/python/cpython/commit/f029e8db626ddc6e3a3beea4eff511a71aaceb5c
• https://github.com/python/cpython/issues/136065
• https://mail.python.org/archives/list/security-announce@python.org/thread/IUP5QJ6D4KK6ULHOMPC7DPNKRYQTQNLA/

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite3 package and not the sqlite3 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In SQLite 3.49.0 before 3.49.1, certain argument values to sqlite3_db_config (in the C-language API) can cause a denial of service (application crash). An sz*nBig multiplication is not cast to a 64-bit integer, and consequently some memory allocations may be incorrect.

Remediation

There is no fixed version for Debian:12 sqlite3.

References

• https://security-tracker.debian.org/tracker/CVE-2025-29088
• https://gist.github.com/ylwango613/d3883fb9f6ba8a78086356779ce88248
• https://github.com/sqlite/sqlite/commit/56d2fd008b108109f489339f5fd55212bb50afd4
• https://sqlite.org/forum/forumpost/48f365daec
• https://sqlite.org/releaselog/3_49_1.html
• https://www.sqlite.org/cves.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream util-linux package and not the util-linux package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.

Remediation

There is no fixed version for Debian:12 util-linux.

References

• https://security-tracker.debian.org/tracker/CVE-2022-0563
• https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u
• https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w%40ws.net.home/T/#u
• https://security.gentoo.org/glsa/202401-08
• https://security.netapp.com/advisory/ntap-20220331-0002/

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

Remediation

There is no fixed version for Debian:12 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2019-1010024
• https://support.f5.com/csp/article/K06046097
• https://support.f5.com/csp/article/K06046097?utm_source=f5support&utm_medium=RSS
• https://sourceware.org/bugzilla/show_bug.cgi?id=22852
• http://www.securityfocus.com/bid/109162
• https://ubuntu.com/security/CVE-2019-1010024
• https://support.f5.com/csp/article/K06046097?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability.

Remediation

There is no fixed version for Debian:12 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2019-1010025
• https://support.f5.com/csp/article/K06046097
• https://support.f5.com/csp/article/K06046097?utm_source=f5support&utm_medium=RSS
• https://sourceware.org/bugzilla/show_bug.cgi?id=22853
• https://ubuntu.com/security/CVE-2019-1010025
• https://support.f5.com/csp/article/K06046097?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product

Remediation

There is no fixed version for Debian:12 openssh.

References

• https://security-tracker.debian.org/tracker/CVE-2016-20012
• https://security.netapp.com/advisory/ntap-20211014-0005/
• https://github.com/openssh/openssh-portable/blob/d0fffc88c8fe90c1815c6f4097bc8cbcabc0f3dd/auth2-pubkey.c#L261-L265
• https://github.com/openssh/openssh-portable/pull/270
• https://rushter.com/blog/public-ssh-keys/
• https://utcc.utoronto.ca/~cks/space/blog/tech/SSHKeysAreInfoLeak
• https://github.com/openssh/openssh-portable/pull/270#issuecomment-920577097
• https://github.com/openssh/openssh-portable/pull/270#issuecomment-943909185
• https://www.openwall.com/lists/oss-security/2018/08/24/1

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.

Remediation

There is no fixed version for Debian:12 openssh.

References

• https://security-tracker.debian.org/tracker/CVE-2007-2243
• https://security.netapp.com/advisory/ntap-20191107-0003/
• http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053906.html
• http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053951.html
• http://securityreason.com/securityalert/2631
• http://www.securityfocus.com/bid/23601
• https://exchange.xforce.ibmcloud.com/vulnerabilities/33794
• http://www.osvdb.org/34600

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.'

Remediation

There is no fixed version for Debian:12 openssh.

References

• https://security-tracker.debian.org/tracker/CVE-2018-15919
• https://security.netapp.com/advisory/ntap-20181221-0001/
• http://seclists.org/oss-sec/2018/q3/180
• http://www.securityfocus.com/bid/105163
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-15919

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.11 package and not the python3.11 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.

Remediation

There is no fixed version for Debian:12 python3.11.

References

• https://security-tracker.debian.org/tracker/CVE-2025-12084
• https://github.com/python/cpython/commit/027f21e417b26eed4505ac2db101a4352b7c51a0
• https://github.com/python/cpython/commit/08d8e18ad81cd45bc4a27d6da478b51ea49486e4
• https://github.com/python/cpython/commit/ddcd2acd85d891a53e281c773b3093f9db953964
• https://github.com/python/cpython/issues/142145
• https://github.com/python/cpython/pull/142146
• https://github.com/python/cpython/commit/27648a1818749ef44c420afe6173af6868715437
• https://github.com/python/cpython/commit/8d2d7bb2e754f8649a68ce4116271a4932f76907
• https://github.com/python/cpython/commit/9c9dda6625a2a90d2a06c657eee021d6be19842d
• https://github.com/python/cpython/commit/a696ba8b4d42fd632afc9bc88ad830a2e4cceed8
• https://github.com/python/cpython/commit/41f468786762348960486c166833a218a0a436af
• https://github.com/python/cpython/commit/57937a8e5e293f0dcba5115f7b7a11b1e0c9a273
• https://github.com/python/cpython/commit/e91c11449cad34bac3ea55ee09ca557691d92b53
• https://github.com/python/cpython/commit/a46c10ec9d4050ab67b8a932e0859a2ea60c3cb8
• https://github.com/python/cpython/commit/c97e87593063d84a2bd9fe7068b30eb44de23dc0

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.11 package and not the python3.11 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues.

This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet.

The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted "+" or "/" outside of altchars.

Remediation

There is no fixed version for Debian:12 python3.11.

References

• https://security-tracker.debian.org/tracker/CVE-2025-12781
• https://github.com/python/cpython/commit/13360efd385d1a7d0659beba03787ea3d063ef9b
• https://github.com/python/cpython/commit/1be80bec7960f5ccd059e75f3dfbd45fca302947
• https://github.com/python/cpython/commit/9060b4abbe475591b6230b23c2afefeff26fcca5
• https://github.com/python/cpython/commit/e95e783dff443b68e8179fdb57737025bf02ba76
• https://github.com/python/cpython/commit/fd17ee026fa9b67f6288cbafe374a3e479fe03a5
• https://github.com/python/cpython/issues/125346
• https://github.com/python/cpython/pull/141128
• https://mail.python.org/archives/list/security-announce@python.org/thread/KRI7GC6S27YV5NJ4FPDALS2WI5ENAFJ6/

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

Remediation

There is no fixed version for Debian:12 systemd.

References

• https://security-tracker.debian.org/tracker/CVE-2023-31437
• https://github.com/kastel-security/Journald
• https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf
• https://github.com/systemd/systemd/releases

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

Remediation

There is no fixed version for Debian:12 systemd.

References

• https://security-tracker.debian.org/tracker/CVE-2023-31438
• https://github.com/kastel-security/Journald
• https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf
• https://github.com/systemd/systemd/pull/28886
• https://github.com/systemd/systemd/releases

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

Remediation

There is no fixed version for Debian:12 systemd.

References

• https://security-tracker.debian.org/tracker/CVE-2023-31439
• https://github.com/kastel-security/Journald
• https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf
• https://github.com/systemd/systemd/pull/28885
• https://github.com/systemd/systemd/releases

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE. This attack appear to be exploitable via The user must interact with a malicious git server, (or have their traffic modified in a MITM attack).

Remediation

There is no fixed version for Debian:12 git.

References

• https://security-tracker.debian.org/tracker/CVE-2018-1000021
• http://www.batterystapl.es/2018/01/security-implications-of-ansi-escape.html
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-1000021

NVD Description

Note: Versions mentioned in the description apply only to the upstream coreutils package and not the coreutils package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.

Remediation

There is no fixed version for Debian:12 coreutils.

References

• https://security-tracker.debian.org/tracker/CVE-2017-18018
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018
• http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS."

Remediation

There is no fixed version for Debian:12 gnupg2.

References

• https://security-tracker.debian.org/tracker/CVE-2025-30258
• https://dev.gnupg.org/T7527
• https://dev.gnupg.org/rG48978ccb4e20866472ef18436a32744350a65158
• https://lists.gnupg.org/pipermail/gnupg-announce/2025q1/000491.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line.

Remediation

There is no fixed version for Debian:12 gnupg2.

References

• https://security-tracker.debian.org/tracker/CVE-2025-68972
• https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i
• https://news.ycombinator.com/item?id=46404339
• https://gpg.fail/formfeed

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill cat /pathname" command, as demonstrated by openldap-initscript.

Remediation

There is no fixed version for Debian:12 openldap.

References

• https://security-tracker.debian.org/tracker/CVE-2017-14159
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14159
• http://www.openldap.org/its/index.cgi?findid=8703
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-14159
• https://www.oracle.com/security-alerts/cpuapr2022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications.

Remediation

There is no fixed version for Debian:12 pam.

References

• https://security-tracker.debian.org/tracker/CVE-2024-10041
• https://access.redhat.com/security/cve/CVE-2024-10041
• https://bugzilla.redhat.com/show_bug.cgi?id=2319212
• https://access.redhat.com/errata/RHSA-2024:9941
• https://access.redhat.com/errata/RHSA-2024:10379
• https://access.redhat.com/errata/RHSA-2024:11250

NVD Description

Note: Versions mentioned in the description apply only to the upstream coreutils package and not the coreutils package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data.

Remediation

There is no fixed version for Debian:12 coreutils.

References

• https://security-tracker.debian.org/tracker/CVE-2025-5278
• https://access.redhat.com/security/cve/CVE-2025-5278
• https://bugzilla.redhat.com/show_bug.cgi?id=2368764
• http://www.openwall.com/lists/oss-security/2025/05/27/2
• http://www.openwall.com/lists/oss-security/2025/05/29/1
• https://cgit.git.savannah.gnu.org/cgit/coreutils.git/tree/NEWS?id=8c9602e3a145e9596dc1a63c6ed67865814b6633#n14
• http://www.openwall.com/lists/oss-security/2025/05/29/2
• https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.

Remediation

There is no fixed version for Debian:12 systemd.

References

• https://security-tracker.debian.org/tracker/CVE-2013-4392
• http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357
• http://www.openwall.com/lists/oss-security/2013/10/01/9
• https://bugzilla.redhat.com/show_bug.cgi?id=859060

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.

Remediation

There is no fixed version for Debian:12 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2010-4756
• http://cxib.net/stuff/glob-0day.c
• http://securityreason.com/achievement_securityalert/89
• http://securityreason.com/exploitalert/9223
• https://bugzilla.redhat.com/show_bug.cgi?id=681681
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756
• https://security.netapp.com/advisory/ntap-20241108-0002/

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.

Remediation

There is no fixed version for Debian:12 gnutls28.

References

• https://security-tracker.debian.org/tracker/CVE-2011-3389
• http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html
• http://lists.apple.com/archives/Security-announce/2011//Oct/msg00002.html
• http://support.apple.com/kb/HT4999
• http://support.apple.com/kb/HT5001
• http://support.apple.com/kb/HT5130
• http://support.apple.com/kb/HT5281
• http://support.apple.com/kb/HT5501
• http://support.apple.com/kb/HT6150
• http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
• http://lists.apple.com/archives/security-announce/2012/Jul/msg00001.html
• http://lists.apple.com/archives/security-announce/2012/May/msg00001.html
• http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html
• http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html
• http://www.us-cert.gov/cas/techalerts/TA12-010A.html
• http://www.kb.cert.org/vuls/id/864643
• http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
• http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/
• http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx
• http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx
• http://curl.haxx.se/docs/adv_20120124B.html
• http://downloads.asterisk.org/pub/security/AST-2016-001.html
• http://my.opera.com/securitygroup/blog/2011/09/28/the-beast-ssl-tls-issue
• https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_fetchmail
• https://bugzilla.novell.com/show_bug.cgi?id=719047
• https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf
• http://technet.microsoft.com/security/advisory/2588513
• http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf
• http://www.ibm.com/developerworks/java/jdk/alerts/
• http://www.imperialviolet.org/2011/09/23/chromeandbeast.html
• http://www.opera.com/docs/changelogs/mac/1151/
• http://www.opera.com/docs/changelogs/mac/1160/
• http://www.opera.com/docs/changelogs/unix/1151/
• http://www.opera.com/docs/changelogs/unix/1160/
• http://www.opera.com/docs/changelogs/windows/1151/
• http://www.opera.com/docs/changelogs/windows/1160/
• http://www.opera.com/support/kb/view/1004/
• http://www.debian.org/security/2012/dsa-2398
• http://security.gentoo.org/glsa/glsa-201203-02.xml
• http://security.gentoo.org/glsa/glsa-201406-32.xml
• https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862
• http://marc.info/?l=bugtraq&m=132750579901589&w=2
• http://marc.info/?l=bugtraq&m=132872385320240&w=2
• http://marc.info/?l=bugtraq&m=133365109612558&w=2
• http://marc.info/?l=bugtraq&m=133728004526190&w=2
• http://marc.info/?l=bugtraq&m=134254866602253&w=2
• http://marc.info/?l=bugtraq&m=134254957702612&w=2
• http://ekoparty.org/2011/juliano-rizzo.php
• http://eprint.iacr.org/2004/111
• http://eprint.iacr.org/2006/136
• http://isc.sans.edu/diary/SSL+TLS+part+3+/11635
• https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
• http://vnhacker.blogspot.com/2011/09/beast.html
• http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html
• http://www.insecure.cl/Beast-SSL.rar
• https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-006
• http://technet.microsoft.com/security/bulletin/MS12-006
• http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00049.html
• http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00051.html
• http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00009.html
• http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
• http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
• http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
• http://osvdb.org/74829
• https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14752
• https://bugzilla.redhat.com/show_bug.cgi?id=737506
• http://rhn.redhat.com/errata/RHSA-2012-0508.html
• http://rhn.redhat.com/errata/RHSA-2013-1455.html
• http://secunia.com/advisories/45791
• http://secunia.com/advisories/47998
• http://secunia.com/advisories/48256
• http://secunia.com/advisories/48692
• http://secunia.com/advisories/48915
• http://secunia.com/advisories/48948
• http://secunia.com/advisories/49198
• http://secunia.com/advisories/55322
• http://secunia.com/advisories/55350
• http://secunia.com/advisories/55351
• http://www.securityfocus.com/bid/49388
• http://www.securityfocus.com/bid/49778
• http://www.securitytracker.com/id?1025997
• http://www.securitytracker.com/id?1026103
• http://www.securitytracker.com/id?1026704
• http://www.securitytracker.com/id/1029190
• http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
• https://hermes.opensuse.org/messages/13154861
• https://hermes.opensuse.org/messages/13155432
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2011-3389
• http://www.ubuntu.com/usn/USN-1263-1
• http://www.mandriva.com/security/advisories?name=MDVSA-2012:058
• http://www.redhat.com/support/errata/RHSA-2011-1384.html
• http://www.redhat.com/support/errata/RHSA-2012-0006.html
• https://github.com/mpgn/BEAST-PoC

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243.

Remediation

There is no fixed version for Debian:12 openssh.

References

• https://security-tracker.debian.org/tracker/CVE-2007-2768
• http://archives.neohapsis.com/archives/fulldisclosure/2007-04/0635.html
• https://security.netapp.com/advisory/ntap-20191107-0002/
• http://www.osvdb.org/34601

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite3 package and not the sqlite3 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect.

Remediation

There is no fixed version for Debian:12 sqlite3.

References

• https://security-tracker.debian.org/tracker/CVE-2021-45346
• https://github.com/guyinatuxedo/sqlite3_record_leaking
• https://security.netapp.com/advisory/ntap-20220303-0001/
• https://sqlite.org/forum/forumpost/056d557c2f8c452ed5
• https://sqlite.org/forum/forumpost/53de8864ba114bf6
• https://www.sqlite.org/cves.html#status_of_recent_sqlite_cves

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.

Remediation

There is no fixed version for Debian:12 openldap.

References

• https://security-tracker.debian.org/tracker/CVE-2020-15719
• https://access.redhat.com/errata/RHBA-2019:3674
• https://bugs.openldap.org/show_bug.cgi?id=9266
• https://bugzilla.redhat.com/show_bug.cgi?id=1740070
• http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00033.html
• http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00059.html
• https://kc.mcafee.com/corporate/index?page=content&id=SB10365
• https://www.oracle.com/security-alerts/cpuapr2022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream apt package and not the apt package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.

Remediation

There is no fixed version for Debian:12 apt.

References

• https://security-tracker.debian.org/tracker/CVE-2011-3374
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480
• https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html
• https://seclists.org/fulldisclosure/2011/Sep/221
• https://snyk.io/vuln/SNYK-LINUX-APT-116518
• https://ubuntu.com/security/CVE-2011-3374
• https://access.redhat.com/security/cve/cve-2011-3374

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.

Remediation

There is no fixed version for Debian:12 gnupg2.

References

• https://security-tracker.debian.org/tracker/CVE-2022-3219
• https://access.redhat.com/security/cve/CVE-2022-3219
• https://bugzilla.redhat.com/show_bug.cgi?id=2127010
• https://dev.gnupg.org/D556
• https://dev.gnupg.org/T5993
• https://marc.info/?l=oss-security&m=165696590211434&w=4
• https://security.netapp.com/advisory/ntap-20230324-0001/

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component.

Remediation

There is no fixed version for Debian:12 ncurses.

References

• https://security-tracker.debian.org/tracker/CVE-2025-6141
• https://invisible-island.net/ncurses/NEWS.html#index-t20250329
• https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00107.html
• https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00109.html
• https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00114.html
• https://vuldb.com/?ctiid.312610
• https://vuldb.com/?id.312610
• https://vuldb.com/?submit.593000
• https://www.gnu.org/

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

_is_safe in the File::Temp module for Perl does not properly handle symlinks.

Remediation

There is no fixed version for Debian:12 perl.

References

• https://security-tracker.debian.org/tracker/CVE-2011-4116
• https://github.com/Perl-Toolchain-Gang/File-Temp/issues/14
• https://rt.cpan.org/Public/Bug/Display.html?id=69106
• https://seclists.org/oss-sec/2011/q4/238
• http://www.openwall.com/lists/oss-security/2011/11/04/2
• http://www.openwall.com/lists/oss-security/2011/11/04/4

NVD Description

Note: Versions mentioned in the description apply only to the upstream procps package and not the procps package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Under some circumstances, this weakness allows a user who has access to run the “ps” utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.

Remediation

There is no fixed version for Debian:12 procps.

References

• https://security-tracker.debian.org/tracker/CVE-2023-4016
• https://gitlab.com/procps-ng/procps
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SUETRRT24OFGPYK6ACPM5VUGHNKH5CQ5/

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.

Remediation

There is no fixed version for Debian:12 expat.

References

• https://security-tracker.debian.org/tracker/CVE-2026-24515
• https://github.com/libexpat/libexpat/pull/1131

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the CURLOPT_ACCEPT_ENCODING option, using zlib 1.2.0.3 or older, an attacker-controlled integer overflow would make libcurl perform a buffer overflow.

Remediation

There is no fixed version for Debian:12 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2025-0725
• https://curl.se/docs/CVE-2025-0725.html
• https://curl.se/docs/CVE-2025-0725.json
• https://hackerone.com/reports/2956023
• http://www.openwall.com/lists/oss-security/2025/02/05/3
• http://www.openwall.com/lists/oss-security/2025/02/06/2
• http://www.openwall.com/lists/oss-security/2025/02/06/4
• https://security.netapp.com/advisory/ntap-20250306-0009/
• https://github.com/curl/curl/commit/76f83f0db23846e254d940ec7

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection.

A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.

Remediation

There is no fixed version for Debian:12 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2025-10148
• https://curl.se/docs/CVE-2025-10148.html
• https://curl.se/docs/CVE-2025-10148.json
• https://hackerone.com/reports/3330839
• http://www.openwall.com/lists/oss-security/2025/09/10/2
• http://www.openwall.com/lists/oss-security/2025/09/10/3
• http://www.openwall.com/lists/oss-security/2025/09/10/4

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms.

This prevents curl from detecting MITM attackers and more.

Remediation

There is no fixed version for Debian:12 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2025-10966
• https://curl.se/docs/CVE-2025-10966.html
• https://curl.se/docs/CVE-2025-10966.json
• https://hackerone.com/reports/3355218
• http://www.openwall.com/lists/oss-security/2025/11/05/2

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers.

Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.

Remediation

There is no fixed version for Debian:12 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2025-14017
• https://curl.se/docs/CVE-2025-14017.html
• https://curl.se/docs/CVE-2025-14017.json
• http://www.openwall.com/lists/oss-security/2026/01/07/3

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

When doing TLS related transfers with reused easy or multi handles and altering the CURLSSLOPT_NO_PARTIALCHAIN option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.

Remediation

There is no fixed version for Debian:12 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2025-14819
• https://curl.se/docs/CVE-2025-14819.html
• https://curl.se/docs/CVE-2025-14819.json
• http://www.openwall.com/lists/oss-security/2026/01/07/5

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts not present in the specified file if they were added as recognized in the libssh global known_hosts file.

Remediation

There is no fixed version for Debian:12 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2025-15079
• https://curl.se/docs/CVE-2025-15079.html
• https://curl.se/docs/CVE-2025-15079.json
• https://hackerone.com/reports/3477116
• http://www.openwall.com/lists/oss-security/2026/01/07/6

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.

Remediation

There is no fixed version for Debian:12 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2025-15224
• https://curl.se/docs/CVE-2025-15224.html
• https://curl.se/docs/CVE-2025-15224.json
• https://hackerone.com/reports/3480925
• http://www.openwall.com/lists/oss-security/2026/01/07/7

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems.

Remediation

There is no fixed version for Debian:12 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2024-2379
• http://seclists.org/fulldisclosure/2024/Jul/18
• http://seclists.org/fulldisclosure/2024/Jul/19
• http://seclists.org/fulldisclosure/2024/Jul/20
• http://www.openwall.com/lists/oss-security/2024/03/27/2
• https://curl.se/docs/CVE-2024-2379.html
• https://curl.se/docs/CVE-2024-2379.json
• https://hackerone.com/reports/2410774
• https://security.netapp.com/advisory/ntap-20240531-0001/
• https://support.apple.com/kb/HT214118
• https://support.apple.com/kb/HT214119
• https://support.apple.com/kb/HT214120

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.

Remediation

There is no fixed version for Debian:12 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2025-14524
• https://curl.se/docs/CVE-2025-14524.html
• https://curl.se/docs/CVE-2025-14524.json
• https://hackerone.com/reports/3459417
• http://www.openwall.com/lists/oss-security/2026/01/07/4

NVD Description

Note: Versions mentioned in the description apply only to the upstream dpkg package and not the dpkg package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is documented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on adversarial .deb packages or with well compressible files, placed inside a directory with permissions not allowing removal by a non-root user, this can end up in a DoS scenario due to causing disk quota exhaustion or disk full conditions.

Remediation

There is no fixed version for Debian:12 dpkg.

References

• https://security-tracker.debian.org/tracker/CVE-2025-6297
• https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=ed6bbd445dd8800308c67236ba35d08004c98e82

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.

Remediation

There is no fixed version for Debian:12 expat.

References

• https://security-tracker.debian.org/tracker/CVE-2025-59375
• https://github.com/libexpat/libexpat/blob/676a4c531ec768732fac215da9730b5f50fbd2bf/expat/Changes#L45-L74
• https://github.com/libexpat/libexpat/blob/R_2_7_2/expat/Changes
• https://github.com/libexpat/libexpat/issues/1018
• https://github.com/libexpat/libexpat/pull/1034
• https://issues.oss-fuzz.com/issues/439133977
• http://www.openwall.com/lists/oss-security/2025/09/16/2

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser.

Remediation

Upgrade Debian:12 expat to version 2.5.0-1+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-50602
• https://github.com/libexpat/libexpat/pull/915
• https://lists.debian.org/debian-lts-announce/2025/04/msg00040.html
• https://security.netapp.com/advisory/ntap-20250404-0008/

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.

Remediation

There is no fixed version for Debian:12 expat.

References

• https://security-tracker.debian.org/tracker/CVE-2026-25210
• https://github.com/libexpat/libexpat/pull/1075
• https://github.com/libexpat/libexpat/pull/1075/commits/9c2d990389e6abe2e44527eeaa8b39f16fe859c7

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Git GUI allows you to use the Git source control management tools via a GUI. When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite files for which the user has write permission. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.

Remediation

There is no fixed version for Debian:12 git.

References

• https://security-tracker.debian.org/tracker/CVE-2025-46835
• https://github.com/j6t/git-gui/compare/dcda716dbc9c90bcac4611bd1076747671ee0906..a437f5bc93330a70b42a230e52f3bd036ca1b1da
• https://github.com/j6t/git-gui/security/advisories/GHSA-xfx7-68v4-v8fg
• https://lists.debian.org/debian-lts-announce/2025/10/msg00003.html
• http://www.openwall.com/lists/oss-security/2025/07/08/4

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution. The use of bundle URIs is not enabled by default and can be controlled by the bundle.heuristic config option. Some cases of the vulnerability require that the adversary is in control of where a repository will be cloned to. This either requires social engineering or a recursive clone with submodules. These cases can thus be avoided by disabling recursive clones. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

Remediation

There is no fixed version for Debian:12 git.

References

• https://security-tracker.debian.org/tracker/CVE-2025-48385
• https://github.com/git/git/security/advisories/GHSA-m98c-vgpc-9655
• http://www.openwall.com/lists/oss-security/2025/07/08/4

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

Remediation

There is no fixed version for Debian:12 git.

References

• https://security-tracker.debian.org/tracker/CVE-2025-48384
• https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48384
• http://seclists.org/fulldisclosure/2025/Sep/60
• https://lists.debian.org/debian-lts-announce/2025/10/msg00003.html
• http://www.openwall.com/lists/oss-security/2025/07/08/4
• https://github.com/liamg/CVE-2025-48384
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Gitk is a Tcl/Tk based Git history browser. Starting with 1.7.0, when a user clones an untrusted repository and runs gitk without additional command arguments, files for which the user has write permission can be created and truncated. The option Support per-file encoding must have been enabled before in Gitk's Preferences. This option is disabled by default. The same happens when Show origin of this line is used in the main window (regardless of whether Support per-file encoding is enabled or not). This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.

Remediation

There is no fixed version for Debian:12 git.

References

• https://security-tracker.debian.org/tracker/CVE-2025-27613
• https://github.com/j6t/gitk/compare/465f03869ae11acd04abfa1b83c67879c867410c..026c397d911cde55924d7eb1311d0fd6e2e105d5
• https://github.com/j6t/gitk/compare/7dd272eca153058da2e8d5b9960bbbf0b4f0cbaa..67a128b91e25978a15f9f7e194d81b441d603652
• https://github.com/j6t/gitk/security/advisories/GHSA-f3cw-xrj3-wr2v
• https://lists.debian.org/debian-lts-announce/2025/10/msg00003.html
• http://www.openwall.com/lists/oss-security/2025/07/08/4

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.

Remediation

There is no fixed version for Debian:12 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2025-15281
• https://sourceware.org/bugzilla/show_bug.cgi?id=33814
• http://www.openwall.com/lists/oss-security/2026/01/20/3

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo).

Remediation

Upgrade Debian:12 glibc to version 2.36-9+deb12u11 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-4802
• https://sourceware.org/bugzilla/show_bug.cgi?id=32976
• https://sourceware.org/cgit/glibc/commit/?id=1e18586c5820e329f741d5c710275e165581380e
• http://www.openwall.com/lists/oss-security/2025/05/16/7
• http://www.openwall.com/lists/oss-security/2025/05/17/2
• https://lists.debian.org/debian-lts-announce/2025/05/msg00033.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow buffer manipulation depending of how the regex is constructed. This issue affects all architectures and ABIs supported by the GNU C library.

Remediation

Upgrade Debian:12 glibc to version 2.36-9+deb12u13 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-8058
• https://sourceware.org/bugzilla/show_bug.cgi?id=33185
• https://sourceware.org/git/?p=glibc.git;a=commit;h=3ff17af18c38727b88d9115e536c069e6b5d601f
• http://www.openwall.com/lists/oss-security/2025/07/23/1

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption.

Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc.

Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.

Remediation

There is no fixed version for Debian:12 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2026-0861
• https://sourceware.org/bugzilla/show_bug.cgi?id=33796
• https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0001
• http://www.openwall.com/lists/oss-security/2026/01/16/5

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.

Remediation

There is no fixed version for Debian:12 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2026-0915
• http://www.openwall.com/lists/oss-security/2026/01/16/6
• https://sourceware.org/bugzilla/show_bug.cgi?id=33802

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.

Remediation

There is no fixed version for Debian:12 krb5.

References

• https://security-tracker.debian.org/tracker/CVE-2024-26461
• https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md
• https://security.netapp.com/advisory/ntap-20240415-0011/

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

Remediation

There is no fixed version for Debian:12 krb5.

References

• https://security-tracker.debian.org/tracker/CVE-2024-26458
• https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md
• https://security.netapp.com/advisory/ntap-20240415-0010/

NVD Description

Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.

Remediation

There is no fixed version for Debian:12 libgcrypt20.

References

• https://security-tracker.debian.org/tracker/CVE-2024-2236
• https://access.redhat.com/errata/RHSA-2024:9404
• https://bugzilla.redhat.com/show_bug.cgi?id=2268268
• https://access.redhat.com/errata/RHSA-2025:3534
• https://access.redhat.com/errata/RHSA-2025:3530
• https://access.redhat.com/security/cve/CVE-2024-2236
• https://bugzilla.redhat.com/show_bug.cgi?id=2245218

NVD Description

Note: Versions mentioned in the description apply only to the upstream libtasn1-6 package and not the libtasn1-6 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string.

Remediation

There is no fixed version for Debian:12 libtasn1-6.

References

• https://security-tracker.debian.org/tracker/CVE-2025-13151
• https://gitlab.com/gnutls/libtasn1
• https://gitlab.com/gnutls/libtasn1/-/merge_requests/121
• http://www.openwall.com/lists/oss-security/2026/01/08/5
• https://www.kb.cert.org/vuls/id/271649

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

OpenLDAP Lightning Memory-Mapped Database (LMDB) versions up to and including 0.9.14, prior to commit 8e1fda8, contain a heap buffer underflow in the readline() function of mdb_load. When processing malformed input containing an embedded NUL byte, an unsigned offset calculation can underflow and cause an out-of-bounds read of one byte before the allocated heap buffer. This can cause mdb_load to crash, leading to a limited denial-of-service condition.

Remediation

There is no fixed version for Debian:12 openldap.

References

• https://security-tracker.debian.org/tracker/CVE-2026-22185
• https://seclists.org/fulldisclosure/2026/Jan/5
• https://seclists.org/fulldisclosure/2026/Jan/8
• https://www.openldap.org/
• https://www.vulncheck.com/advisories/openldap-lmdb-mdb-load-heap-buffer-underflow-in-readline
• https://bugs.openldap.org/show_bug.cgi?id=10421

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)

Remediation

There is no fixed version for Debian:12 openssh.

References

• https://security-tracker.debian.org/tracker/CVE-2025-61984
• https://marc.info/?l=openssh-unix-dev&m=175974522032149&w=2
• https://www.openssh.com/releasenotes.html#10.1p1
• https://www.openwall.com/lists/oss-security/2025/10/06/1
• https://dgl.cx/2025/10/bash-a-newline-ssh-proxycommand-cve-2025-61984
• http://www.openwall.com/lists/oss-security/2025/10/07/1
• http://www.openwall.com/lists/oss-security/2025/10/12/1
• https://www.vicarius.io/vsociety/posts/cve-2025-61984-detection-script-remote-code-execution-vulnerability-affecting-openssh
• https://www.vicarius.io/vsociety/posts/cve-2025-61984-mitigation-script-remote-code-execution-vulnerability-affecting-openssh

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.

Remediation

There is no fixed version for Debian:12 openssh.

References

• https://security-tracker.debian.org/tracker/CVE-2025-61985
• https://marc.info/?l=openssh-unix-dev&m=175974522032149&w=2
• https://www.openssh.com/releasenotes.html#10.1p1
• https://www.openwall.com/lists/oss-security/2025/10/06/1

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow.

Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution.

When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs.

Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.

OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

Remediation

Upgrade Debian:12 openssl to version 3.0.18-1~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-15467
• https://github.com/openssl/openssl/commit/2c8f0e5fa9b6ee5508a0349e4572ddb74db5a703
• https://github.com/openssl/openssl/commit/5f26d4202f5b89664c5c3f3c62086276026ba9a9
• https://github.com/openssl/openssl/commit/6ced0fe6b10faa560e410e3ee8d6c82f06c65ea3
• https://github.com/openssl/openssl/commit/ce39170276daec87f55c39dad1f629b56344429e
• https://github.com/openssl/openssl/commit/d0071a0799f20cc8101730145349ed4487c268dc
• https://openssl-library.org/news/secadv/20260127.txt
• http://www.openwall.com/lists/oss-security/2026/01/27/10
• https://github.com/guiimoraes/CVE-2025-15467

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

OpenSSL 3.0.0 through 3.3.2 on the PowerPC architecture is vulnerable to a Minerva attack, exploitable by measuring the time of signing of random messages using the EVP_DigestSign API, and then using the private key to extract the K value (nonce) from the signatures. Next, based on the bit size of the extracted nonce, one can compare the signing time of full-sized nonces to signatures that used smaller nonces, via statistical tests. There is a side-channel in the P-364 curve that allows private key extraction (also, there is a dependency between the bit size of K and the size of the side channel). NOTE: This CVE is disputed because the OpenSSL security policy explicitly notes that any side channels which require same physical system to be detected are outside of the threat model for the software. The timing signal is so small that it is infeasible to be detected without having the attacking process running on the same physical system.

Remediation

There is no fixed version for Debian:12 openssl.

References

• https://security-tracker.debian.org/tracker/CVE-2025-27587
• https://github.com/openssl/openssl/issues/24253
• https://minerva.crocs.fi.muni.cz

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write.

Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application.

The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Remediation

Upgrade Debian:12 openssl to version 3.0.18-1~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-68160
• https://github.com/openssl/openssl/commit/384011202af92605d926fafe4a0bcd6b65d162ad
• https://github.com/openssl/openssl/commit/475c466ef2fbd8fc1df6fae1c3eed9c813fc8ff6
• https://github.com/openssl/openssl/commit/4c96fbba618e1940f038012506ee9e21d32ee12c
• https://github.com/openssl/openssl/commit/6845c3b6460a98b1ec4e463baa2ea1a63a32d7c0
• https://github.com/openssl/openssl/commit/68a7cd2e2816c3a02f4d45a2ce43fc04fac97096
• https://openssl-library.org/news/secadv/20260127.txt

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block unencrypted and unauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of a message may be exposed in<br>cleartext on encryption and are not covered by the authentication tag,<br>allowing an attacker to read or tamper with those bytes without detection.<br><br>The low-level OCB encrypt and decrypt routines in the hardware-accelerated<br>stream path process full 16-byte blocks but do not advance the input/output<br>pointers. The subsequent tail-handling code then operates on the original<br>base pointers, effectively reprocessing the beginning of the buffer while<br>leaving the actual trailing bytes unprocessed. The authentication checksum<br>also excludes the true tail bytes.<br><br>However, typical OpenSSL consumers using EVP are not affected because the<br>higher-level EVP and provider OCB implementations split inputs so that full<br>blocks and trailing partial blocks are processed in separate calls, avoiding<br>the problematic code path. Additionally, TLS does not use OCB ciphersuites.<br>The vulnerability only affects applications that call the low-level<br>CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with<br>non-block-aligned lengths in a single call on hardware-accelerated builds.<br>For these reasons the issue was assessed as Low severity.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected<br>by this issue, as OCB mode is not a FIPS-approved algorithm.<br><br>OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br><br>OpenSSL 1.0.2 is not affected by this issue.

Remediation

Upgrade Debian:12 openssl to version 3.0.18-1~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-69418
• https://github.com/openssl/openssl/commit/372fc5c77529695b05b4f5b5187691a57ef5dffc
• https://github.com/openssl/openssl/commit/4016975d4469cd6b94927c607f7c511385f928d8
• https://github.com/openssl/openssl/commit/52d23c86a54adab5ee9f80e48b242b52c4cc2347
• https://github.com/openssl/openssl/commit/a7589230356d908c0eca4b969ec4f62106f4f5ae
• https://github.com/openssl/openssl/commit/ed40856d7d4ba6cb42779b6770666a65f19cb977
• https://openssl-library.org/news/secadv/20260127.txt

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer.

Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service.

The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer.

The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.

Remediation

Upgrade Debian:12 openssl to version 3.0.18-1~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-69419
• https://github.com/openssl/openssl/commit/41be0f216404f14457bbf3b9cc488dba60b49296
• https://github.com/openssl/openssl/commit/7e9cac9832e4705b91987c2474ed06a37a93cecb
• https://github.com/openssl/openssl/commit/a26a90d38edec3748566129d824e664b54bee2e2
• https://github.com/openssl/openssl/commit/cda12de3bc0e333ea8d2c6fd15001dbdaf280015
• https://github.com/openssl/openssl/commit/ff628933755075446bca8307e8417c14d164b535
• https://openssl-library.org/news/secadv/20260127.txt

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file.

Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service.

The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash.

Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity.

The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.

Remediation

Upgrade Debian:12 openssl to version 3.0.18-1~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-69420
• https://github.com/openssl/openssl/commit/27c7012c91cc986a598d7540f3079dfde2416eb9
• https://github.com/openssl/openssl/commit/4e254b48ad93cc092be3dd62d97015f33f73133a
• https://github.com/openssl/openssl/commit/564fd9c73787f25693bf9e75faf7bf6bb1305d4e
• https://github.com/openssl/openssl/commit/5eb0770ffcf11b785cf374ff3c19196245e54f1b
• https://github.com/openssl/openssl/commit/a99349ebfc519999edc50620abe24d599b9eb085
• https://openssl-library.org/news/secadv/20260127.txt

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write.

Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code.

Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy.

The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.

Remediation

Upgrade Debian:12 openssl to version 3.0.17-1~deb12u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-9230
• https://github.com/openssl/openssl/commit/5965ea5dd6960f36d8b7f74f8eac67a8eb8f2b45
• https://github.com/openssl/openssl/commit/9e91358f365dee6c446dcdcdb01c04d2743fd280
• https://github.com/openssl/openssl/commit/a79c4ce559c6a3a8fd4109e9f33c1185d5bf2def
• https://github.com/openssl/openssl/commit/b5282d677551afda7d20e9c00e09561b547b2dfd
• https://github.com/openssl/openssl/commit/bae259a211ada6315dc50900686daaaaaa55f482
• https://github.openssl.org/openssl/extended-releases/commit/c2b96348bfa662f25f4fabf81958ae822063dae3
• https://github.openssl.org/openssl/extended-releases/commit/dfbaf161d8dafc1132dd88cd48ad990ed9b4c8ba
• https://openssl-library.org/news/secadv/20250930.txt
• https://lists.debian.org/debian-lts-announce/2025/10/msg00001.html
• http://www.openwall.com/lists/oss-security/2025/09/30/5

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds read if the 'no_proxy' environment variable is set and the host portion of the authority component of the HTTP URL is an IPv6 address.

Impact summary: An out-of-bounds read can trigger a crash which leads to Denial of Service for an application.

The OpenSSL HTTP client API functions can be used directly by applications but they are also used by the OCSP client functions and CMP (Certificate Management Protocol) client implementation in OpenSSL. However the URLs used by these implementations are unlikely to be controlled by an attacker.

In this vulnerable code the out of bounds read can only trigger a crash. Furthermore the vulnerability requires an attacker-controlled URL to be passed from an application to the OpenSSL function and the user has to have a 'no_proxy' environment variable set. For the aforementioned reasons the issue was assessed as Low severity.

The vulnerable code was introduced in the following patch releases: 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.

The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the HTTP client implementation is outside the OpenSSL FIPS module boundary.

Remediation

Upgrade Debian:12 openssl to version 3.0.17-1~deb12u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-9232
• https://github.com/openssl/openssl/commit/2b4ec20e47959170422922eaff25346d362dcb35
• https://github.com/openssl/openssl/commit/654dc11d23468a74fc8ea4672b702dd3feb7be4b
• https://github.com/openssl/openssl/commit/7cf21a30513c9e43c4bc3836c237cf086e194af3
• https://github.com/openssl/openssl/commit/89e790ac431125a4849992858490bed6b225eadf
• https://github.com/openssl/openssl/commit/bbf38c034cdabd0a13330abcc4855c866f53d2e0
• https://openssl-library.org/news/secadv/20250930.txt
• http://www.openwall.com/lists/oss-security/2025/09/30/5

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file.

Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service.

A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read.

The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity.

The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.

Remediation

Upgrade Debian:12 openssl to version 3.0.18-1~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2026-22795
• https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4
• https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49
• https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12
• https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e
• https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2
• https://openssl-library.org/news/secadv/20260127.txt

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data.

Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service.

The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash.

Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity.

The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Remediation

Upgrade Debian:12 openssl to version 3.0.18-1~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2026-22796
• https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4
• https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49
• https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12
• https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e
• https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2
• https://openssl-library.org/news/secadv/20260127.txt

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Perl threads have a working directory race condition where file operations may target unintended paths.

If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running.

This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit.

The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6

Remediation

Upgrade Debian:12 perl to version 5.36.0-7+deb12u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-40909
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098226
• https://github.com/Perl/perl5/commit/11a11ecf4bea72b17d250cfb43c897be1341861e
• https://github.com/Perl/perl5/commit/918bfff86ca8d6d4e4ec5b30994451e0bd74aba9.patch
• https://github.com/Perl/perl5/issues/10387
• https://github.com/Perl/perl5/issues/23010
• https://perldoc.perl.org/5.14.0/perl5136delta#Directory-handles-not-copied-to-threads
• https://www.openwall.com/lists/oss-security/2025/05/22/2
• http://www.openwall.com/lists/oss-security/2025/05/23/1
• http://www.openwall.com/lists/oss-security/2025/05/30/4
• http://www.openwall.com/lists/oss-security/2025/06/02/2
• http://www.openwall.com/lists/oss-security/2025/06/02/5
• http://www.openwall.com/lists/oss-security/2025/06/02/6
• http://www.openwall.com/lists/oss-security/2025/06/02/7
• http://www.openwall.com/lists/oss-security/2025/06/03/1
• http://seclists.org/fulldisclosure/2025/Sep/53
• http://seclists.org/fulldisclosure/2025/Sep/54
• http://seclists.org/fulldisclosure/2025/Sep/55

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.11 package and not the python3.11 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.

Remediation

There is no fixed version for Debian:12 python3.11.

References

• https://security-tracker.debian.org/tracker/CVE-2025-11468
• https://github.com/python/cpython/issues/143935
• https://github.com/python/cpython/pull/143936
• https://mail.python.org/archives/list/security-announce@python.org/thread/FELSEOLBI2QR6YLG6Q7VYF7FWSGQTKLI/
• https://github.com/python/cpython/commit/17d1490aa97bd6b98a42b1a9b324ead84e7fd8a2
• https://github.com/python/cpython/commit/61614a5e5056e4f61ced65008d4576f3df34acb6
• https://github.com/python/cpython/commit/e9970f077240c7c670e8a6fc6662f2b30d3b6ad0
• https://github.com/python/cpython/commit/f738386838021c762efea6c9802c82de65e87796
• https://github.com/python/cpython/commit/a76e4cd62dd68e7cbe86e37e6ed988495a646b66