NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure.

This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.

Remediation

Upgrade Debian:12 gnutls28 to version 3.7.9-2+deb12u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-32988
• https://access.redhat.com/security/cve/CVE-2025-32988
• https://bugzilla.redhat.com/show_bug.cgi?id=2359622
• https://access.redhat.com/errata/RHSA-2025:16115
• https://access.redhat.com/errata/RHSA-2025:16116
• https://access.redhat.com/errata/RHSA-2025:17348
• https://access.redhat.com/errata/RHSA-2025:17361
• https://access.redhat.com/errata/RHSA-2025:17415
• https://access.redhat.com/errata/RHSA-2025:19088
• https://lists.debian.org/debian-lts-announce/2025/08/msg00005.html
• http://www.openwall.com/lists/oss-security/2025/07/11/3
• https://access.redhat.com/errata/RHSA-2025:17181
• https://access.redhat.com/errata/RHSA-2025:22529
• https://lists.gnupg.org/pipermail/gnutls-help/2025-July/004883.html
• https://access.redhat.com/errata/RHSA-2026:7477
• https://cert-portal.siemens.com/productcert/html/ssa-082556.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system.

Remediation

Upgrade Debian:12 gnutls28 to version 3.7.9-2+deb12u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-32990
• https://access.redhat.com/security/cve/CVE-2025-32990
• https://bugzilla.redhat.com/show_bug.cgi?id=2359620
• https://access.redhat.com/errata/RHSA-2025:16115
• https://access.redhat.com/errata/RHSA-2025:16116
• https://access.redhat.com/errata/RHSA-2025:17348
• https://access.redhat.com/errata/RHSA-2025:17361
• https://access.redhat.com/errata/RHSA-2025:17415
• https://access.redhat.com/errata/RHSA-2025:19088
• https://lists.debian.org/debian-lts-announce/2025/08/msg00005.html
• http://www.openwall.com/lists/oss-security/2025/07/11/3
• https://access.redhat.com/errata/RHSA-2025:17181
• https://access.redhat.com/errata/RHSA-2025:22529
• https://lists.gnupg.org/pipermail/gnutls-help/2025-July/004883.html
• https://access.redhat.com/errata/RHSA-2026:7477

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name (SAN) could cause the validation process to incorrectly fall back to checking the Common Name (CN) field. This could allow a remote attacker to bypass proper certificate validation, potentially leading to spoofing or man-in-the-middle attacks.

Remediation

Upgrade Debian:12 gnutls28 to version 3.7.9-2+deb12u7 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2026-42013
• https://access.redhat.com/security/cve/CVE-2026-42013
• https://bugzilla.redhat.com/show_bug.cgi?id=2467448
• https://access.redhat.com/errata/RHSA-2026:20611
• https://access.redhat.com/errata/RHSA-2026:20613
• https://access.redhat.com/errata/RHSA-2026:20612

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in libgnutls. A remote attacker, by sending an extremely short premaster secret during an RSA key exchange to a server using an RSA key backed by a PKCS#11 token, could trigger a short heap overread. This memory corruption vulnerability could lead to information disclosure.

Remediation

Upgrade Debian:12 gnutls28 to version 3.7.9-2+deb12u7 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2026-5260
• https://access.redhat.com/security/cve/CVE-2026-5260
• https://bugzilla.redhat.com/show_bug.cgi?id=2467450
• https://access.redhat.com/errata/RHSA-2026:20611
• https://access.redhat.com/errata/RHSA-2026:20613
• https://access.redhat.com/errata/RHSA-2026:20612

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.

Remediation

Upgrade Debian:12 openssh to version 1:9.2p1-2+deb12u10 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2026-35414
• https://www.openssh.org/releasenotes.html#10.3p1
• https://www.openwall.com/lists/oss-security/2026/04/02/3
• https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).

Remediation

Upgrade Debian:12 openssh to version 1:9.2p1-2+deb12u10 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2026-35385
• https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2
• https://www.openssh.org/releasenotes.html#10.3p1
• https://www.openwall.com/lists/oss-security/2026/04/02/3

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.

Remediation

Upgrade Debian:12 openssh to version 1:9.2p1-2+deb12u10 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2026-35386
• https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2
• https://www.openssh.org/releasenotes.html#10.3p1
• https://www.openwall.com/lists/oss-security/2026/04/02/3

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

Remediation

Upgrade Debian:12 openssh to version 1:9.2p1-2+deb12u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-6387
• http://seclists.org/fulldisclosure/2024/Jul/18
• http://seclists.org/fulldisclosure/2024/Jul/19
• http://seclists.org/fulldisclosure/2024/Jul/20
• http://www.openwall.com/lists/oss-security/2024/07/01/12
• http://www.openwall.com/lists/oss-security/2024/07/01/13
• http://www.openwall.com/lists/oss-security/2024/07/02/1
• http://www.openwall.com/lists/oss-security/2024/07/03/1
• http://www.openwall.com/lists/oss-security/2024/07/03/11
• http://www.openwall.com/lists/oss-security/2024/07/03/2
• http://www.openwall.com/lists/oss-security/2024/07/03/3
• http://www.openwall.com/lists/oss-security/2024/07/03/4
• http://www.openwall.com/lists/oss-security/2024/07/03/5
• http://www.openwall.com/lists/oss-security/2024/07/04/1
• http://www.openwall.com/lists/oss-security/2024/07/04/2
• http://www.openwall.com/lists/oss-security/2024/07/08/2
• http://www.openwall.com/lists/oss-security/2024/07/08/3
• http://www.openwall.com/lists/oss-security/2024/07/09/2
• http://www.openwall.com/lists/oss-security/2024/07/09/5
• http://www.openwall.com/lists/oss-security/2024/07/10/1
• http://www.openwall.com/lists/oss-security/2024/07/10/2
• http://www.openwall.com/lists/oss-security/2024/07/10/3
• http://www.openwall.com/lists/oss-security/2024/07/10/4
• http://www.openwall.com/lists/oss-security/2024/07/10/6
• http://www.openwall.com/lists/oss-security/2024/07/11/1
• http://www.openwall.com/lists/oss-security/2024/07/11/3
• http://www.openwall.com/lists/oss-security/2024/07/23/4
• http://www.openwall.com/lists/oss-security/2024/07/23/6
• http://www.openwall.com/lists/oss-security/2024/07/28/2
• http://www.openwall.com/lists/oss-security/2024/07/28/3
• https://archlinux.org/news/the-sshd-service-needs-to-be-restarted-after-upgrading-to-openssh-98p1/
• https://arstechnica.com/security/2024/07/regresshion-vulnerability-in-openssh-gives-attackers-root-on-linux/
• https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
• https://explore.alas.aws.amazon.com/CVE-2024-6387.html
• https://forum.vmssoftware.com/viewtopic.php?f=8&t=9132
• https://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2024-002.txt.asc
• https://github.com/AlmaLinux/updates/issues/629
• https://github.com/Azure/AKS/issues/4379
• https://github.com/PowerShell/Win32-OpenSSH/discussions/2248
• https://github.com/PowerShell/Win32-OpenSSH/issues/2249
• https://github.com/microsoft/azurelinux/issues/9555
• https://github.com/openela-main/openssh/commit/e1f438970e5a337a17070a637c1b9e19697cad09
• https://github.com/oracle/oracle-linux/issues/149
• https://github.com/rapier1/hpn-ssh/issues/87
• https://github.com/zgzhang/cve-2024-6387-poc
• https://lists.almalinux.org/archives/list/announce@lists.almalinux.org/thread/23BF5BMGFVEVUI2WNVAGMLKT557EU7VY/
• https://lists.mindrot.org/pipermail/openssh-unix-announce/2024-July/000158.html
• https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html
• https://news.ycombinator.com/item?id=40843778
• https://packetstorm.news/files/id/190587/
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0010
• https://security.netapp.com/advisory/ntap-20240701-0001/
• https://sig-security.rocky.page/issues/CVE-2024-6387/
• https://stackdiary.com/openssh-race-condition-in-sshd-allows-remote-code-execution/
• https://support.apple.com/kb/HT214118
• https://support.apple.com/kb/HT214119
• https://support.apple.com/kb/HT214120
• https://ubuntu.com/security/CVE-2024-6387
• https://ubuntu.com/security/notices/USN-6859-1
• https://www.akamai.com/blog/security-research/2024-openssh-vulnerability-regression-what-to-know-and-do
• https://www.arista.com/en/support/advisories-notices/security-advisory/19904-security-advisory-0100
• https://www.exploit-db.com/exploits/52269
• https://www.freebsd.org/security/advisories/FreeBSD-SA-24:04.openssh.asc
• https://www.splunk.com/en_us/blog/security/cve-2024-6387-regresshion-vulnerability.html
• https://www.suse.com/security/cve/CVE-2024-6387.html
• https://www.theregister.com/2024/07/01/regresshion_openssh/
• https://www.vicarius.io/vsociety/posts/regresshion-an-openssh-regression-error-cve-2024-6387
• https://access.redhat.com/errata/RHSA-2024:4312
• https://access.redhat.com/errata/RHSA-2024:4340
• https://access.redhat.com/errata/RHSA-2024:4389
• https://access.redhat.com/errata/RHSA-2024:4469
• https://access.redhat.com/errata/RHSA-2024:4474
• https://access.redhat.com/errata/RHSA-2024:4479
• https://access.redhat.com/errata/RHSA-2024:4484
• https://access.redhat.com/security/cve/CVE-2024-6387
• https://bugzilla.redhat.com/show_bug.cgi?id=2294604
• https://santandersecurityresearch.github.io/blog/sshing_the_masses.html
• https://www.openssh.com/txt/release-9.8
• https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
• https://cert-portal.siemens.com/productcert/html/ssa-082556.html
• https://cert-portal.siemens.com/productcert/html/ssa-446545.html
• https://github.com/xonoxitron/regreSSHion-checker

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side.

Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code.

However, the issue only affects clients that make use of TLSA records with both the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate usage.

By far the most common deployment of DANE is in SMTP MTAs for which RFC7672 recommends that clients treat as 'unusable' any TLSA records that have the PKIX certificate usages. These SMTP (or other similar) clients are not vulnerable to this issue. Conversely, any clients that support only the PKIX usages, and ignore the DANE-TA(2) usage are also not vulnerable.

The client would also need to be communicating with a server that publishes a TLSA RRset with both types of TLSA records.

No FIPS modules are affected by this issue, the problem code is outside the FIPS module boundary.

Remediation

Upgrade Debian:12 openssl to version 3.0.19-1~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2026-28387
• https://github.com/openssl/openssl/commit/07e727d304746edb49a98ee8f6ab00256e1f012b
• https://github.com/openssl/openssl/commit/258a8f63b26995ba357f4326da00e19e29c6acbe
• https://github.com/openssl/openssl/commit/444958deaf450aea819171f97ae69eaedede42c3
• https://github.com/openssl/openssl/commit/7a4e08cee62a728d32e60b0de89e6764339df0a7
• https://github.com/openssl/openssl/commit/ec03fa050b3346997ed9c5fef3d0e16ad7db8177
• https://openssl-library.org/news/secadv/20260407.txt
• https://cert-portal.siemens.com/productcert/html/ssa-032379.html
• https://cert-portal.siemens.com/productcert/html/ssa-265688.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.

Remediation

Upgrade Debian:12 perl to version 5.36.0-7+deb12u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-31484
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/
• http://www.openwall.com/lists/oss-security/2023/04/29/1
• http://www.openwall.com/lists/oss-security/2023/05/03/3
• http://www.openwall.com/lists/oss-security/2023/05/03/5
• http://www.openwall.com/lists/oss-security/2023/05/07/2
• https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/
• https://github.com/andk/cpanpm/pull/175
• https://lists.debian.org/debian-lts-announce/2024/10/msg00017.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/
• https://metacpan.org/dist/CPAN/changes
• https://security.netapp.com/advisory/ntap-20240621-0007/
• https://www.openwall.com/lists/oss-security/2023/04/18/14

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted .gitmodules file with submodule URLs that are longer than 1024 characters can used to exploit a bug in config.c::git_config_copy_or_rename_section_in_file(). This bug can be used to inject arbitrary configuration into a user's $GIT_DIR/config when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as core.pager, core.editor, core.sshCommand, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running git submodule deinit on untrusted repositories or without prior inspection of any submodule sections in $GIT_DIR/config.

Remediation

Upgrade Debian:12 git to version 1:2.39.5-0+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-29007
• https://github.com/git/git/blob/9ce9dea4e1c2419cca126d29fa7730baa078a11b/Documentation/RelNotes/2.30.9.txt
• https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4
• https://github.com/git/git/security/advisories/GHSA-v48j-4xgg-4844
• https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html
• https://lists.debian.org/debian-lts-announce/2024/09/msg00009.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PI7FZ4NNR5S5J5K6AMVQBH2JFP6NE4L7/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RKOXOAZ42HLXHXTW6JZI4L5DAIYDTYCU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YFZWGQKB6MM5MNF2DLFTD7KS2KWPICKL/
• https://security.gentoo.org/glsa/202312-15
• https://github.com/ethiack/CVE-2023-29007

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.

Remediation

Upgrade Debian:12 git to version 1:2.39.5-0+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-32004
• http://www.openwall.com/lists/oss-security/2024/05/14/2
• https://git-scm.com/docs/git-clone
• https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8
• https://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389
• https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html
• https://lists.debian.org/debian-lts-announce/2024/09/msg00009.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with git clone --no-local to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a .zip file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources.

Remediation

Upgrade Debian:12 git to version 1:2.39.5-0+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-32465
• http://www.openwall.com/lists/oss-security/2024/05/14/2
• https://git-scm.com/docs/git#_security
• https://git-scm.com/docs/git-clone
• https://github.com/git/git/commit/7b70e9efb18c2cc3f219af399bd384c5801ba1d7
• https://github.com/git/git/security/advisories/GHSA-vm9j-46j9-qvq4
• https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html
• https://lists.debian.org/debian-lts-announce/2024/09/msg00009.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/

NVD Description

Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.

Remediation

Upgrade Debian:12 pam to version 1.5.2-6+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-6020
• https://access.redhat.com/security/cve/CVE-2025-6020
• https://bugzilla.redhat.com/show_bug.cgi?id=2372512
• http://www.openwall.com/lists/oss-security/2025/06/17/1
• https://access.redhat.com/errata/RHSA-2025:9526
• https://access.redhat.com/errata/RHSA-2025:10024
• https://access.redhat.com/errata/RHSA-2025:10027
• https://access.redhat.com/errata/RHSA-2025:10180
• https://access.redhat.com/errata/RHSA-2025:10354
• https://access.redhat.com/errata/RHSA-2025:10357
• https://access.redhat.com/errata/RHSA-2025:10358
• https://access.redhat.com/errata/RHSA-2025:10359
• https://access.redhat.com/errata/RHSA-2025:10361
• https://access.redhat.com/errata/RHSA-2025:10362
• https://access.redhat.com/errata/RHSA-2025:10735
• https://access.redhat.com/errata/RHSA-2025:10823
• https://access.redhat.com/errata/RHSA-2025:11386
• https://access.redhat.com/errata/RHSA-2025:11487
• https://access.redhat.com/errata/RHSA-2025:14557
• https://access.redhat.com/errata/RHSA-2025:15099
• https://access.redhat.com/errata/RHSA-2025:15709
• https://access.redhat.com/errata/RHSA-2025:15828
• https://access.redhat.com/errata/RHSA-2025:15827
• https://access.redhat.com/errata/RHSA-2025:16524
• https://access.redhat.com/errata/RHSA-2025:18219
• https://lists.debian.org/debian-lts-announce/2025/09/msg00021.html
• https://access.redhat.com/errata/RHSA-2025:17181
• https://access.redhat.com/errata/RHSA-2025:20181
• https://access.redhat.com/errata/RHSA-2025:21885
• https://access.redhat.com/errata/RHSA-2025:22019
• https://access.redhat.com/errata/RHSA-2026:0934
• https://github.com/linux-pam/linux-pam/security/advisories/GHSA-f9p8-gjr4-j9gx
• https://cert-portal.siemens.com/productcert/html/ssa-577017.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.11 package and not the python3.11 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A vulnerability has been found in the CPython venv module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.

Remediation

Upgrade Debian:12 python3.11 to version 3.11.2-6+deb12u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-9287
• https://github.com/python/cpython/commit/633555735a023d3e4d92ba31da35b1205f9ecbd7
• https://github.com/python/cpython/commit/8450b2482586857d689b6658f08de9c8179af7db
• https://github.com/python/cpython/commit/9286ab3a107ea41bd3f3c3682ce2512692bdded8
• https://github.com/python/cpython/commit/ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97
• https://github.com/python/cpython/commit/d48cc82ed25e26b02eb97c6263d95dcaa1e9111b
• https://github.com/python/cpython/commit/e52095a0c1005a87eed2276af7a1f2f66e2b6483
• https://github.com/python/cpython/issues/124651
• https://github.com/python/cpython/pull/124712
• https://mail.python.org/archives/list/security-announce@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL/
• https://security.netapp.com/advisory/ntap-20250425-0006/
• https://lists.debian.org/debian-lts-announce/2024/11/msg00024.html
• https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input.

Remediation

There is no fixed version for Debian:12 expat.

References

• https://security-tracker.debian.org/tracker/CVE-2026-45186
• https://github.com/libexpat/libexpat/pull/1216
• http://www.openwall.com/lists/oss-security/2026/05/11/16

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.

Remediation

Upgrade Debian:12 expat to version 2.5.0-1+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-52425
• https://lists.debian.org/debian-lts-announce/2024/09/msg00036.html
• http://www.openwall.com/lists/oss-security/2024/03/20/5
• https://github.com/libexpat/libexpat/pull/789
• https://lists.debian.org/debian-lts-announce/2024/04/msg00006.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNUBSGZFEZOBHJFTAD42SAN4ATW2VEMV/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/
• https://security.netapp.com/advisory/ntap-20240614-0003/

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.

Remediation

Upgrade Debian:12 expat to version 2.5.0-1+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-8176
• https://access.redhat.com/security/cve/CVE-2024-8176
• https://bugzilla.redhat.com/show_bug.cgi?id=2310137
• https://github.com/libexpat/libexpat/issues/893
• http://www.openwall.com/lists/oss-security/2025/03/15/1
• https://blog.hartwork.org/posts/expat-2-7-0-released/
• https://bugzilla.suse.com/show_bug.cgi?id=1239618
• https://github.com/libexpat/libexpat/blob/R_2_7_0/expat/Changes#L40-L52
• https://gitlab.alpinelinux.org/alpine/aports/-/commit/d068c3ff36fc6f4789988a09c69b434db757db53
• https://ubuntu.com/security/CVE-2024-8176
• https://security.netapp.com/advisory/ntap-20250328-0009/
• https://access.redhat.com/errata/RHSA-2025:3531
• https://access.redhat.com/errata/RHSA-2025:3734
• https://access.redhat.com/errata/RHSA-2025:3913
• https://access.redhat.com/errata/RHSA-2025:4048
• https://access.redhat.com/errata/RHSA-2025:4447
• https://access.redhat.com/errata/RHSA-2025:4446
• https://access.redhat.com/errata/RHSA-2025:4448
• https://access.redhat.com/errata/RHSA-2025:4449
• https://www.kb.cert.org/vuls/id/760160
• https://access.redhat.com/errata/RHSA-2025:7444
• https://access.redhat.com/errata/RHSA-2025:7512
• https://access.redhat.com/errata/RHSA-2025:8385
• https://access.redhat.com/errata/RHSA-2025:13681
• http://seclists.org/fulldisclosure/2025/May/10
• http://seclists.org/fulldisclosure/2025/May/11
• http://seclists.org/fulldisclosure/2025/May/12
• http://seclists.org/fulldisclosure/2025/May/6
• http://seclists.org/fulldisclosure/2025/May/7
• http://seclists.org/fulldisclosure/2025/May/8
• http://www.openwall.com/lists/oss-security/2025/09/24/11
• https://access.redhat.com/errata/RHSA-2025:22033
• https://access.redhat.com/errata/RHSA-2025:22035
• https://access.redhat.com/errata/RHSA-2025:22034
• https://access.redhat.com/errata/RHSA-2025:22607
• https://access.redhat.com/errata/RHSA-2025:22785
• https://access.redhat.com/errata/RHSA-2025:22842
• https://access.redhat.com/errata/RHSA-2025:22871
• https://github.com/libexpat/libexpat/pull/973

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.

Remediation

Upgrade Debian:12 expat to version 2.5.0-1+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-45490
• https://github.com/libexpat/libexpat/issues/887
• https://github.com/libexpat/libexpat/pull/890
• https://security.netapp.com/advisory/ntap-20241018-0004/
• http://seclists.org/fulldisclosure/2024/Dec/10
• http://seclists.org/fulldisclosure/2024/Dec/12
• http://seclists.org/fulldisclosure/2024/Dec/6
• http://seclists.org/fulldisclosure/2024/Dec/7
• http://seclists.org/fulldisclosure/2024/Dec/8
• https://lists.debian.org/debian-lts-announce/2024/09/msg00036.html
• https://cert-portal.siemens.com/productcert/html/ssa-082556.html
• https://cert-portal.siemens.com/productcert/html/ssa-613116.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to git apply --reject, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using git apply with --reject when applying patches from an untrusted source. Use git apply --stat to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the *.rej file exists.

Remediation

Upgrade Debian:12 git to version 1:2.39.5-0+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-25652
• http://www.openwall.com/lists/oss-security/2023/04/25/2
• https://github.com/git/git/commit/18e2b1cfc80990719275d7b08e6e50f3e8cbc902
• https://github.com/git/git/commit/668f2d53613ac8fd373926ebe219f2c29112d93e
• https://github.com/git/git/security/advisories/GHSA-2hvf-7c8p-28fx
• https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html
• https://lists.debian.org/debian-lts-announce/2024/09/msg00009.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BSXOGVVBJLYX26IAYX6PJSYQB36BREWH/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PI7FZ4NNR5S5J5K6AMVQBH2JFP6NE4L7/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RKOXOAZ42HLXHXTW6JZI4L5DAIYDTYCU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YFZWGQKB6MM5MNF2DLFTD7KS2KWPICKL/
• https://security.gentoo.org/glsa/202312-15

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way. This issue has been addressed in commit b01b9b8 which is included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones.

Remediation

Upgrade Debian:12 git to version 1:2.39.5-0+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-52006
• https://github.com/git-ecosystem/git-credential-manager/security/advisories/GHSA-86c2-4x57-wc8g
• https://github.com/git/git/commit/b01b9b81d36759cdcd07305e78765199e1bc2060
• https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q
• https://github.com/git/git/security/advisories/GHSA-r5ph-xg7q-xfrp
• https://lists.debian.org/debian-lts-announce/2025/01/msg00025.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.

Remediation

Upgrade Debian:12 gnutls28 to version 3.7.9-2+deb12u7 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2026-33846
• https://access.redhat.com/security/cve/CVE-2026-33846
• https://bugzilla.redhat.com/show_bug.cgi?id=2450625
• https://access.redhat.com/errata/RHSA-2026:13274
• https://access.redhat.com/errata/RHSA-2026:20611
• https://access.redhat.com/errata/RHSA-2026:20613
• https://access.redhat.com/errata/RHSA-2026:20612

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.

Remediation

Upgrade Debian:12 gnutls28 to version 3.7.9-2+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-0567
• http://www.openwall.com/lists/oss-security/2024/01/19/3
• https://access.redhat.com/errata/RHSA-2024:0533
• https://access.redhat.com/errata/RHSA-2024:1082
• https://access.redhat.com/errata/RHSA-2024:1383
• https://access.redhat.com/errata/RHSA-2024:2094
• https://access.redhat.com/security/cve/CVE-2024-0567
• https://bugzilla.redhat.com/show_bug.cgi?id=2258544
• https://gitlab.com/gnutls/gnutls/-/issues/1521
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZEIOLORQ7N6WRPFXZSYDL2MC4LP7VFV/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNXKVR5YNUEBNHAHM5GSYKBZX4W2HMN2/
• https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html
• https://security.netapp.com/advisory/ntap-20240202-0011/

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.

Remediation

Upgrade Debian:12 gnutls28 to version 3.7.9-2+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-0553
• http://www.openwall.com/lists/oss-security/2024/01/19/3
• https://lists.debian.org/debian-lts-announce/2024/02/msg00010.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZEIOLORQ7N6WRPFXZSYDL2MC4LP7VFV/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNXKVR5YNUEBNHAHM5GSYKBZX4W2HMN2/
• https://security.netapp.com/advisory/ntap-20240202-0011/
• https://access.redhat.com/errata/RHSA-2024:0533
• https://access.redhat.com/errata/RHSA-2024:0627
• https://access.redhat.com/errata/RHSA-2024:0796
• https://access.redhat.com/errata/RHSA-2024:1082
• https://access.redhat.com/errata/RHSA-2024:1108
• https://access.redhat.com/errata/RHSA-2024:1383
• https://access.redhat.com/errata/RHSA-2024:2094
• https://access.redhat.com/security/cve/CVE-2024-0553
• https://bugzilla.redhat.com/show_bug.cgi?id=2258412
• https://gitlab.com/gnutls/gnutls/-/issues/1522
• https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer Security (DTLS) packet reordering logic. The comparator function, responsible for ordering DTLS packets by sequence numbers, did not correctly handle packets with duplicate sequence numbers. This could lead to unstable packet ordering or undefined behavior, resulting in a denial of service.

Remediation

Upgrade Debian:12 gnutls28 to version 3.7.9-2+deb12u7 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2026-42009
• https://access.redhat.com/security/cve/CVE-2026-42009
• https://bugzilla.redhat.com/show_bug.cgi?id=2467279
• https://access.redhat.com/errata/RHSA-2026:13274
• https://access.redhat.com/errata/RHSA-2026:20611
• https://access.redhat.com/errata/RHSA-2026:20613
• https://access.redhat.com/errata/RHSA-2026:20612

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.

Remediation

Upgrade Debian:12 krb5 to version 1.20.1-2+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-37370
• https://security.netapp.com/advisory/ntap-20241108-0007/
• https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef
• https://web.mit.edu/kerberos/www/advisories/
• https://cert-portal.siemens.com/productcert/html/ssa-082556.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.

Remediation

Upgrade Debian:12 openssh to version 1:9.2p1-2+deb12u9 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2026-3497
• https://ubuntu.com/security/CVE-2026-3497
• https://www.openwall.com/lists/oss-security/2026/03/12/3
• http://www.openwall.com/lists/oss-security/2026/03/12/3
• http://www.openwall.com/lists/oss-security/2026/03/14/3
• http://www.openwall.com/lists/oss-security/2026/03/14/4
• http://www.openwall.com/lists/oss-security/2026/03/18/2
• http://www.openwall.com/lists/oss-security/2026/03/18/4
• http://www.openwall.com/lists/oss-security/2026/03/18/5
• http://www.openwall.com/lists/oss-security/2026/03/18/7
• https://lists.debian.org/debian-lts-announce/2026/04/msg00014.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process.

Impact summary: Abnormal termination of an application can a cause a denial of service.

Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an otherName subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program.

Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address.

TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate.

The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

Remediation

Upgrade Debian:12 openssl to version 3.0.14-1~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-6119
• https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f
• https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6
• https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2
• https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0
• https://openssl-library.org/news/secadv/20240903.txt
• http://www.openwall.com/lists/oss-security/2024/09/03/4
• https://lists.freebsd.org/archives/freebsd-security/2024-September/000303.html
• https://security.netapp.com/advisory/ntap-20240912-0001/
• https://cert-portal.siemens.com/productcert/html/ssa-082556.html
• https://cert-portal.siemens.com/productcert/html/ssa-613116.html
• https://cert-portal.siemens.com/productcert/html/ssa-769027.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function.

Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files.

The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure.

Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Remediation

Upgrade Debian:12 openssl to version 3.0.18-1~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-69421
• https://github.com/openssl/openssl/commit/3524a29271f8191b8fd8a5257eb05173982a097b
• https://github.com/openssl/openssl/commit/36ecb4960872a4ce04bf6f1e1f4e78d75ec0c0c7
• https://github.com/openssl/openssl/commit/4bbc8d41a72c842ce4077a8a3eccd1109aaf74bd
• https://github.com/openssl/openssl/commit/643986985cd1c21221f941129d76fe0c2785aeb3
• https://github.com/openssl/openssl/commit/a2dbc539f0f9cc63832709fa5aa33ad9495eb19c
• https://openssl-library.org/news/secadv/20260127.txt
• https://cert-portal.siemens.com/productcert/html/ssa-265688.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL Number extension is missing.

Impact summary: A NULL pointer dereference can trigger a crash which leads to a Denial of Service for an application.

When CRL processing and delta CRL processing is enabled during X.509 certificate verification, the delta CRL processing does not check whether the CRL Number extension is NULL before dereferencing it. When a malformed delta CRL file is being processed, this parameter can be NULL, causing a NULL pointer dereference.

Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in the verification context, the certificate being verified to contain a freshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and an attacker to provide a malformed CRL to an application that processes it.

The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. For that reason the issue was assessed as Low severity according to our Security Policy.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

Upgrade Debian:12 openssl to version 3.0.19-1~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2026-28388
• https://github.com/openssl/openssl/commit/59c3b3158553ab53275bbbccca5cb305d591cf2e
• https://github.com/openssl/openssl/commit/5a0b4930779cd2408880979db765db919da55139
• https://github.com/openssl/openssl/commit/602542f2c0c2d5edb47128f93eac10b62aeeefb3
• https://github.com/openssl/openssl/commit/a9d187dd1000130100fa7ab915f8513532cb3bb8
• https://github.com/openssl/openssl/commit/d3a901e8d9f021f3e67d6cfbc12e768129862726
• https://openssl-library.org/news/secadv/20260407.txt
• https://cert-portal.siemens.com/productcert/html/ssa-032379.html
• https://cert-portal.siemens.com/productcert/html/ssa-265688.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Issue summary: During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen.

Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service.

When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing.

Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

Upgrade Debian:12 openssl to version 3.0.19-1~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2026-28389
• https://github.com/openssl/openssl/commit/16cea4188e0ea567deb4f93f85902247e67384f5
• https://github.com/openssl/openssl/commit/785cbf7ea3b5a6f5adf0c1ccb92b79d89c35c616
• https://github.com/openssl/openssl/commit/7b5274e812400cacb6f3be4c2df5340923fa807f
• https://github.com/openssl/openssl/commit/c6725634e089eb2b634b10ede33944be7248172a
• https://github.com/openssl/openssl/commit/f80f83bc5fd036bc47d773e8b15a001e2b4ce686
• https://openssl-library.org/news/secadv/20260407.txt
• https://cert-portal.siemens.com/productcert/html/ssa-032379.html
• https://cert-portal.siemens.com/productcert/html/ssa-265688.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen.

Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service.

When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with RSA-OAEP encryption is processed, the optional parameters field of RSA-OAEP SourceFunc algorithm identifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing.

Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

Upgrade Debian:12 openssl to version 3.0.19-1~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2026-28390
• https://github.com/openssl/openssl/commit/01194a8f1941115cd0383bfa91c736dd3993c8bc
• https://github.com/openssl/openssl/commit/2e39b7a6993be445fddb9fbce316fa756e0397b6
• https://github.com/openssl/openssl/commit/af2a5fecd3e71a29e7568f9c1453dec5cebbaff4
• https://github.com/openssl/openssl/commit/ea7b4ea4f9f853521ba34830cbcadc970d2e0788
• https://github.com/openssl/openssl/commit/fd2f1a6cf53b9ceeca723a001aa4b825d7c7ee75
• https://openssl-library.org/news/secadv/20260407.txt
• https://cert-portal.siemens.com/productcert/html/ssa-032379.html
• https://cert-portal.siemens.com/productcert/html/ssa-265688.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.11 package and not the python3.11 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.

Remediation

Upgrade Debian:12 python3.11 to version 3.11.2-6+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-24329
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/
• https://github.com/python/cpython/issues/102153
• https://github.com/python/cpython/pull/99421
• https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html
• https://lists.debian.org/debian-lts-announce/2024/11/msg00005.html
• https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/
• https://pointernull.com/security/python-url-parse-problem.html
• https://security.netapp.com/advisory/ntap-20230324-0004/
• https://www.kb.cert.org/vuls/id/127587

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.11 package and not the python3.11 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module.

When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.

Remediation

Upgrade Debian:12 python3.11 to version 3.11.2-6+deb12u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-7592
• https://github.com/python/cpython/issues/123067
• https://github.com/python/cpython/pull/123075
• https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/
• https://github.com/python/cpython/commit/391e5626e3ee5af267b97e37abc7475732e67621
• https://github.com/python/cpython/commit/44e458357fca05ca0ae2658d62c8c595b048b5ef
• https://github.com/python/cpython/commit/a77ab24427a18bff817025adb03ca920dc3f1a06
• https://github.com/python/cpython/commit/b2f11ca7667e4d57c71c1c88b255115f16042d9a
• https://github.com/python/cpython/commit/d4ac921a4b081f7f996a5d2b101684b67ba0ed7f
• https://github.com/python/cpython/commit/d662e2db2605515a767f88ad48096b8ac623c774
• https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1
• https://security.netapp.com/advisory/ntap-20241018-0006/
• https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.11 package and not the python3.11 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

There is a MEDIUM severity vulnerability affecting CPython.

Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.

Remediation

Upgrade Debian:12 python3.11 to version 3.11.2-6+deb12u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-6232
• https://github.com/python/cpython/commit/4eaf4891c12589e3c7bdad5f5b076e4c8392dd06
• https://github.com/python/cpython/commit/743acbe872485dc18df4d8ab2dc7895187f062c4
• https://github.com/python/cpython/commit/d449caf8a179e3b954268b3a88eb9170be3c8fbf
• https://github.com/python/cpython/commit/ed3a49ea734ada357ff4442996fd4ae71d253373
• https://github.com/python/cpython/issues/121285
• https://github.com/python/cpython/pull/121286
• https://mail.python.org/archives/list/security-announce@python.org/thread/JRYFTPRHZRTLMZLWQEUHZSJXNHM4ACTY/
• https://github.com/python/cpython/commit/34ddb64d088dd7ccc321f6103d23153256caa5d4
• https://github.com/python/cpython/commit/7d1f50cd92ff7e10a1c15a8f591dde8a6843a64d
• https://github.com/python/cpython/commit/b4225ca91547aa97ed3aca391614afbb255bc877
• http://www.openwall.com/lists/oss-security/2024/09/03/5
• https://security.netapp.com/advisory/ntap-20241018-0007/
• https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.11 package and not the python3.11 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.

Remediation

Upgrade Debian:12 python3.11 to version 3.11.2-6+deb12u7 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-13836
• https://github.com/python/cpython/commit/14b1fdb0a94b96f86fc7b86671ea9582b8676628
• https://github.com/python/cpython/commit/289f29b0fe38baf2d7cb5854f4bb573cc34a6a15
• https://github.com/python/cpython/commit/4ce27904b597c77d74dd93f2c912676021a99155
• https://github.com/python/cpython/commit/5a4c4a033a4a54481be6870aa1896fad732555b5
• https://github.com/python/cpython/issues/119451
• https://github.com/python/cpython/pull/119454
• https://mail.python.org/archives/list/security-announce@python.org/thread/OQ6G7MKRQIS3OAREC3HNG3D2DPOU34XO/
• https://github.com/python/cpython/commit/5dc101675fd22918facbbe0fecdc821502beaaf0
• https://github.com/python/cpython/commit/afc40bdd3dd71f343fd9016f6d8eebbacbd6587c

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.11 package and not the python3.11 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.

Remediation

Upgrade Debian:12 python3.11 to version 3.11.2-6+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-41105
• https://mail.python.org/archives/list/security-announce@python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/
• https://github.com/python/cpython/issues/106242
• https://github.com/python/cpython/pull/107981
• https://github.com/python/cpython/pull/107982
• https://github.com/python/cpython/pull/107983
• https://mail.python.org/archives/list/security-announce%40python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/
• https://security.netapp.com/advisory/ntap-20231006-0015/

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

Remediation

Upgrade Debian:12 systemd to version 252.23-1~deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-50387
• https://datatracker.ietf.org/doc/html/rfc4035
• https://lists.debian.org/debian-lts-announce/2024/11/msg00035.html
• https://lists.debian.org/debian-lts-announce/2024/09/msg00001.html
• http://www.openwall.com/lists/oss-security/2024/02/16/2
• http://www.openwall.com/lists/oss-security/2024/02/16/3
• https://access.redhat.com/security/cve/CVE-2023-50387
• https://bugzilla.suse.com/show_bug.cgi?id=1219823
• https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html
• https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1
• https://kb.isc.org/docs/cve-2023-50387
• https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html
• https://lists.debian.org/debian-lts-announce/2024/05/msg00011.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/
• https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387
• https://news.ycombinator.com/item?id=39367411
• https://news.ycombinator.com/item?id=39372384
• https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
• https://security.netapp.com/advisory/ntap-20240307-0007/
• https://www.athene-center.de/aktuelles/key-trap
• https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf
• https://www.isc.org/blogs/2024-bind-security-release/
• https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/
• https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/
• https://github.com/knqyf263/CVE-2023-50387

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

Remediation

Upgrade Debian:12 systemd to version 252.23-1~deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-50868
• http://www.openwall.com/lists/oss-security/2024/02/16/2
• http://www.openwall.com/lists/oss-security/2024/02/16/3
• https://access.redhat.com/security/cve/CVE-2023-50868
• https://bugzilla.suse.com/show_bug.cgi?id=1219826
• https://datatracker.ietf.org/doc/html/rfc5155
• https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html
• https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1
• https://kb.isc.org/docs/cve-2023-50868
• https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html
• https://lists.debian.org/debian-lts-announce/2024/05/msg00011.html
• https://lists.debian.org/debian-lts-announce/2024/09/msg00001.html
• https://lists.debian.org/debian-lts-announce/2024/11/msg00035.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/
• https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
• https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
• https://security.netapp.com/advisory/ntap-20240307-0008/
• https://www.isc.org/blogs/2024-bind-security-release/

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate validation. This bypass could lead to the acceptance of invalid certificates, potentially enabling spoofing or man-in-the-middle attacks against affected systems.

Remediation

Upgrade Debian:12 gnutls28 to version 3.7.9-2+deb12u7 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2026-42011
• https://access.redhat.com/security/cve/CVE-2026-42011
• https://bugzilla.redhat.com/show_bug.cgi?id=2467437
• https://access.redhat.com/errata/RHSA-2026:13274
• https://access.redhat.com/errata/RHSA-2026:20611
• https://access.redhat.com/errata/RHSA-2026:20613
• https://access.redhat.com/errata/RHSA-2026:20612

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of nameConstraints labels, specifically for dNSName (DNS) or rfc822Name (email) constraints within excludedSubtrees or permittedSubtrees. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure.

Remediation

Upgrade Debian:12 gnutls28 to version 3.7.9-2+deb12u7 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2026-3833
• https://access.redhat.com/errata/RHSA-2026:13274
• https://access.redhat.com/security/cve/CVE-2026-3833
• https://bugzilla.redhat.com/show_bug.cgi?id=2445763
• https://access.redhat.com/errata/RHSA-2026:20611
• https://access.redhat.com/errata/RHSA-2026:20613
• https://access.redhat.com/errata/RHSA-2026:20612
• https://gitlab.com/gnutls/gnutls/-/issues/1803

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite3 package and not the sqlite3 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-248999.

Remediation

Upgrade Debian:12 sqlite3 to version 3.40.1-2+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-7104
• https://lists.debian.org/debian-lts-announce/2024/09/msg00050.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AYONA2XSNFMXLAW4IHLFI5UVV3QRNG5K/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D6C2HN4T2S6GYNTAUXLH45LQZHK7QPHP/
• https://security.netapp.com/advisory/ntap-20240112-0008/
• https://sqlite.org/forum/forumpost/5bcbf4571c
• https://sqlite.org/src/info/0e4e7a05c4204b47
• https://vuldb.com/?ctiid.248999
• https://vuldb.com/?id.248999

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the objects/ directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's objects/ directory. When cloning a repository over the filesystem (without explicitly specifying the file:// protocol or --no-local), the optimizations for local cloning will be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.

Remediation

Upgrade Debian:12 git to version 1:2.39.5-0+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-32021
• http://www.openwall.com/lists/oss-security/2024/05/14/2
• https://github.com/git/git/security/advisories/GHSA-mvxm-9j2h-qjx7
• https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html
• https://lists.debian.org/debian-lts-announce/2024/09/msg00009.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted certificate that contains Uniform Resource Identifier (URI) or Service (SRV) Subject Alternative Names (SANs). This could cause the certificate validation process to incorrectly fall back to checking DNS hostnames against the Common Name (CN), potentially allowing the attacker to spoof legitimate services or intercept sensitive information.

Remediation

Upgrade Debian:12 gnutls28 to version 3.7.9-2+deb12u7 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2026-42012
• https://access.redhat.com/security/cve/CVE-2026-42012
• https://bugzilla.redhat.com/show_bug.cgi?id=2467441
• https://access.redhat.com/errata/RHSA-2026:20611
• https://access.redhat.com/errata/RHSA-2026:20613
• https://access.redhat.com/errata/RHSA-2026:20612

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)

Remediation

Upgrade Debian:12 gnupg2 to version 2.2.40-1.1+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-68973
• https://github.com/gpg/gnupg/blob/ff30683418695f5d2cc9e6cf8c9418e09378ebe4/g10/armor.c#L1305-L1306
• https://github.com/gpg/gnupg/commit/115d138ba599328005c5321c0ef9f00355838ca9
• https://github.com/gpg/gnupg/compare/gnupg-2.2.50...gnupg-2.2.51
• https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i
• https://news.ycombinator.com/item?id=46403200
• https://www.openwall.com/lists/oss-security/2025/12/28/5
• http://www.openwall.com/lists/oss-security/2025/12/29/11
• https://lists.debian.org/debian-lts-announce/2026/01/msg00008.html
• https://gpg.fail/memcpy

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcap2 package and not the libcap2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the cap_set_file() function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.

Remediation

Upgrade Debian:12 libcap2 to version 1:2.66-4+deb12u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2026-4878
• https://access.redhat.com/errata/RHSA-2026:7473
• https://access.redhat.com/security/cve/CVE-2026-4878
• https://bugzilla.redhat.com/show_bug.cgi?id=2447554
• https://bugzilla.redhat.com/show_bug.cgi?id=2451615
• http://www.openwall.com/lists/oss-security/2026/04/07/14
• http://www.openwall.com/lists/oss-security/2026/04/07/4
• http://www.openwall.com/lists/oss-security/2026/04/08/9
• http://www.openwall.com/lists/oss-security/2026/04/09/5
• http://www.openwall.com/lists/oss-security/2026/04/09/6
• https://access.redhat.com/errata/RHSA-2026:12423
• https://access.redhat.com/errata/RHSA-2026:12441
• https://access.redhat.com/errata/RHSA-2026:13285
• https://access.redhat.com/errata/RHSA-2026:14162
• https://access.redhat.com/errata/RHSA-2026:14937
• https://access.redhat.com/errata/RHSA-2026:19130
• https://access.redhat.com/errata/RHSA-2026:19346
• https://access.redhat.com/errata/RHSA-2026:19456
• https://access.redhat.com/errata/RHSA-2026:19458
• https://access.redhat.com/errata/RHSA-2026:20595
• https://access.redhat.com/errata/RHSA-2026:21275
• https://access.redhat.com/errata/RHSA-2026:21254
• https://access.redhat.com/errata/RHSA-2026:22634
• https://access.redhat.com/errata/RHSA-2026:22957