MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.

---

• zlib 1:1.3.dfsg-2 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054290)
  [bookworm] - zlib (contrib/minizip not built and src:zlib not producing binary packages)
  [bullseye] - zlib (contrib/minizip not built and src:zlib not producing binary packages)
  [buster] - zlib (contrib/minizip not built and src:zlib not producing binary packages)
• minizip (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056718)
  [bookworm] - minizip 1.1-8+deb12u1
  [bullseye] - minizip 1.1-8+deb11u1
  minizip: Check length of comment, filename, and extra field, in zipOpenNewFileInZip4_64 madler/zlib#843
  madler/zlib@73331a6
  src:zlib only starts building minizip starting in 1:1.2.13.dfsg-2
  For older suites due to this an update can be ignored as no binary package built
  by the vulnerable source is affected (i.e. contrib/minizip not built and provided
  in those versions).

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.

---

[experimental] - perl 5.38.0~rc2-1

• perl 5.38.2-2 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035109)
  [bookworm] - perl (Minor issue)
  [buster] - perl (Minor issue)
  Add verify_SSL=>1 to HTTP::Tiny in CPAN::HTTP::Client to verify https server identity andk/cpanpm#175
  andk/cpanpm@9c98370 (2.35-TRIAL)

A vulnerability was found in perl 5.30.0 through 5.38.0. This issue occurs when a crafted regular expression is compiled by perl, which can allow an attacker controlled byte buffer overflow in a heap allocated buffer.

---

• perl 5.36.0-10 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056746)
  [bookworm] - perl 5.36.0-7+deb12u1
  [bullseye] - perl 5.32.1-4+deb11u3
  [buster] - perl (Vulnerable code introduced later)
  Fixed by: Perl/perl5@12c313c (v5.34.2)
  Fixed by: Perl/perl5@7047915 (v5.36.2)
  Fixed by: Perl/perl5@92a9eb3 (v5.38.1)
  Fixed by: Perl/perl5@ff1f9f5 (bleed)

Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6

---

[experimental] - perl 5.40.1-4

• perl 5.40.1-5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098226)
  [bookworm] - perl (Minor issue; Perl maintainer will fix it via point release)
  [bullseye] - perl (Minor issue, revisit when fixed upstream)
  Thread creation while a directory handle is open does a fchdir, affecting other threads (race condition) Perl/perl5#23010
  Fixed by: Perl/perl5@fc8063a (v5.41.13)
  Fixed by: Perl/perl5@a1327b5 (v5.41.13)
  Fixed by: Perl/perl5@1f9097b (v5.41.13)
  Fixed by: Perl/perl5@5c2e757 (v5.41.13)
  Squashed version of fix (to help backports):
  Perl/perl5@918bfff
  https://lists.security.metacpan.org/cve-announce/msg/30017499/

A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the tr operator, S_do_trans_invmap can overflow the destination pointer d.    $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

---

• perl 5.40.1-3
  [bullseye] - perl (Vulnerable code introduced later)
  https://lists.security.metacpan.org/cve-announce/msg/28708725/
  Introduced by: Perl/perl5@a311ee0 (v5.33.1)
  Fixed by: Perl/perl5@87f42aa

HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.

---

• libhttp-tiny-perl 0.088-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962407; unimportant)
  [experimental] - perl 5.38.0~rc2-1
• perl 5.38.2-2 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954089)
  https://www.openwall.com/lists/oss-security/2023/04/18/14
  verify_SSL being true by default (redux) chansen/p5-http-tiny#134
  https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/
  https://hackeriet.github.io/cpan-http-tiny-overview/
  Applications need to explicitly opt in to enable verification.

A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.

---

[experimental] - pam 1.7.0-4

• pam 1.7.0-5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107919)
  https://www.openwall.com/lists/oss-security/2025/06/17/1
  GHSA-f9p8-gjr4-j9gx
  Fixed by: linux-pam/linux-pam@475bd60 (v1.7.1)
  Fixed by: linux-pam/linux-pam@592d84e (v1.7.1)
  Fixed by: linux-pam/linux-pam@976c200 (v1.7.1)

linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY.

---

[experimental] - pam 1.5.3-2

• pam 1.5.3-4 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061097)
  [bookworm] - pam (Minor issue)
  [bullseye] - pam (Minor issue)
  [buster] - pam (Minor issue)
  https://www.openwall.com/lists/oss-security/2024/01/18/3
  linux-pam/linux-pam@031bb5a (v1.6.0)

A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications.

---

[experimental] - pam 1.7.0-1

• pam 1.7.0-2 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086038)
  [bookworm] - pam (Minor issue; requires src:apparmor changes, cf #1110326)
  [bullseye] - pam (Minor issue; requires src:apparmor changes, cf #1110326, and may break SELINUX)
  https://bugzilla.redhat.com/show_bug.cgi?id=2319212
  CVE-2024-10041 pam: libpam: Libpam vulnerable to read hashed password linux-pam/linux-pam#846
  pam_unix/passverify: always run the helper to obtain shadow password file entries linux-pam/linux-pam#686
  linux-pam/linux-pam@b3020da (v1.6.0)
  linux-pam/linux-pam@b7b9636 (v1.6.1)

A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.

---

• pam 1.7.0-5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087019)
  [bookworm] - pam (The vulnerable code was introduced in 1.5.3)
  [bullseye] - pam (The vulnerable code was introduced in 1.5.3)
  https://bugzilla.redhat.com/show_bug.cgi?id=2324291
  pam_access.so considers tty* names as hostnames linux-pam/linux-pam#834
  Introduced in linux-pam/linux-pam@23393be (v1.5.3)
  Mitigated by: linux-pam/linux-pam@940747f (v1.7.1)
  Since pam/1.7.0-5 in Debian unstable backports upstream commit to implement
  the nodns option to allow people to work around #1087019, even though it doesn't
  fix the root cause.

It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is documented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on adversarial .deb packages or with well compressible files, placed inside a directory with permissions not allowing removal by a non-root user, this can end up in a DoS scenario due to causing disk quota exhaustion or disk full conditions.

---

• dpkg 1.22.21
  [bookworm] - dpkg (Minor issue)
  [bullseye] - dpkg (Minor issue)
  Fixed by: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=ed6bbd445dd8800308c67236ba35d08004c98e82 (main)
  Fixed by: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=98c623c8d6814ae46a3b30ca22e584c77d47d86b (1.22.21)

In GNU tar before 1.35, mishandled extension attributes in a PAX archive can lead to an application crash in xheader.c.

---

• tar 1.34+dfsg-1.3 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1058079)
  [bookworm] - tar 1.34+dfsg-1.2+deb12u1
  [bullseye] - tar 1.34+dfsg-1+deb11u1
  Fixed by: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4 (v1.35)

GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.

---

• tar 1.34+dfsg-1.4 (unimportant)
  [bookworm] - tar 1.34+dfsg-1.2+deb12u1
  [bullseye] - tar 1.34+dfsg-1+deb11u1
  Crash in CLI tool, no security impact
  https://savannah.gnu.org/bugs/?62387
  https://savannah.gnu.org/patch/?10307
  Fixed by: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=3da78400eafcccb97e2f2fd4b227ea40d794ede8 (v1.35)

A flaw in libtasn1 causes inefficient handling of specific certificate data. When processing a large number of elements in a certificate, libtasn1 takes much longer than expected, which can slow down or even crash the system. This flaw allows an attacker to send a specially crafted certificate, causing a denial of service attack.

---

• libtasn1-6 4.20.0-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095406)
  https://www.openwall.com/lists/oss-security/2025/02/06/6
  https://gitlab.com/gnutls/libtasn1/-/issues/52
  https://gitlab.com/gnutls/libtasn1/-/commit/4082ca2220b5ba910b546afddf7780fc4a51f75a (v4.20.0)
  https://gitlab.com/gnutls/libtasn1/-/commit/869a97aa259dffa2620dabcad84e1c22545ffc3d (v4.20.0)
  https://lists.gnu.org/archive/html/help-libtasn1/2025-02/msg00001.html

The PAM module pam_cap.so of libcap configuration supports group names starting with “@”, during actual parsing, configurations not starting with “@” are incorrectly recognized as group names. This may result in nonintended users being granted an inherited capability set, potentially leading to security risks. Attackers can exploit this vulnerability to achieve local privilege escalation on systems where /etc/security/capability.conf is used to configure user inherited privileges by constructing specific usernames.

---

• libcap2 1:2.73-4 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098318)
  [bookworm] - libcap2 1:2.66-4+deb12u1
  https://bugzilla.openanolis.cn/show_bug.cgi?id=18804
  Fixed by: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=1ad42b66c3567481cc5fa22fc1ba1556a316d878 (cap/v1.2.74-rc4)

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\1\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern

---

• glibc (unimportant)
• eglibc (unimportant)
  https://sourceware.org/bugzilla/show_bug.cgi?id=24269

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability.

---

• glibc (unimportant)
  Not treated as a security issue by upstream
  https://sourceware.org/bugzilla/show_bug.cgi?id=22853

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

---

• glibc (unimportant)
  Not treated as a security issue by upstream
  https://sourceware.org/bugzilla/show_bug.cgi?id=22852

GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

---

• glibc (unimportant)
  Not treated as a security issue by upstream
  https://sourceware.org/bugzilla/show_bug.cgi?id=22851

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

---

• glibc (unimportant)
  Not treated as a security issue by upstream
  https://sourceware.org/bugzilla/show_bug.cgi?id=22850

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\1\1|t1|\\2537)+' in grep.

---

• glibc (unimportant)
• eglibc (unimportant)
  https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141
  https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html
  No treated as vulnerability: https://sourceware.org/glibc/wiki/Security%20Exceptions

The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.

---

• glibc (unimportant)
• eglibc (unimportant)
  That's standard POSIX behaviour implemented by (e)glibc. Applications using
  glob need to impose limits for themselves

An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

---

• systemd (unimportant)
  Disputed by upstream
  https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf

An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

---

• systemd (unimportant)
  Disputed by upstream
  https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf

An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

---

• systemd (unimportant)
  Disputed by upstream
  https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf

systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.

---

• systemd (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357)
  [wheezy] - systemd (/etc/tmpfiles.d not supported in Wheezy)
  https://bugzilla.redhat.com/show_bug.cgi?id=859060
  only relevant to systems running systemd along with selinux

libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.

---

• openldap (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965184)
  https://bugs.openldap.org/show_bug.cgi?id=9266
  https://bugzilla.redhat.com/show_bug.cgi?id=1740070
  RedHat/CentOS applied patch: https://git.centos.org/rpms/openldap/raw/67459960064be9d226d57c5f82aaba0929876813/f/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch
  OpenLDAP upstream did dispute the issue as beeing valid, as the current libldap
  behaviour does conform with RFC4513. RFC6125 does not superseed the rules for
  verifying service identity provided in specifications for existing application
  protocols published prior to RFC6125, like RFC4513 for LDAP.

contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation.

---

• openldap (unimportant)
  http://www.openldap.org/its/index.cgi/Incoming?id=8759
  nops slapd-module not built

slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill cat /pathname" command, as demonstrated by openldap-initscript.

---

• openldap (unimportant)
  http://www.openldap.org/its/index.cgi?findid=8703
  Negligible security impact, but filed #877512

The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors.

---

• openldap (unimportant)
  Debian builds with GNUTLS, not NSS

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.

---

• krb5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098754; unimportant)
  https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md
  Fixed by: krb5/krb5@c5f9c81
  Codepath cannot be triggered via API calls, negligible security impact
  https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

---

• krb5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098754; unimportant)
  https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md
  Fixed by: krb5/krb5@c5f9c81
  Unused codepath, negligible security impact
  https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html

An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

---

• krb5 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889684)
  https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow
  non-issue, codepath is only run on trusted input, potential integer
  overflow is non-issue

A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.

---

• libgcrypt20 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065683)
  https://bugzilla.redhat.com/show_bug.cgi?id=2268268
  https://lists.gnupg.org/pipermail/gcrypt-devel/2024-March/005607.html
  https://github.com/tomato42/marvin-toolkit/tree/master/example/libgcrypt
  https://people.redhat.com/~hkario/marvin/
  https://dev.gnupg.org/T7136
  https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/17
  Not in scope for libgcrypt security policy, work ongoing to add support in the protocol layer

cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.

---

• libgcrypt20 (unimportant)
• libgcrypt11 (unimportant)
• gnupg1 (unimportant)
• gnupg (unimportant)
  https://github.com/weikengchen/attack-on-libgcrypt-elgamal
  https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki
  https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html
  GnuPG uses ElGamal in hybrid mode only.
  This is not a vulnerability in libgcrypt, but in an application using
  it in an insecure manner, see also
  https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004401.html

A flaw was found in the GNU coreutils "split" program. A heap overflow with user-controlled data of multiple hundred bytes in length could occur in the line_bytes_split() function, potentially leading to an application crash and denial of service.

---

• coreutils 9.5-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061138)
  [bookworm] - coreutils (Vulnerable code not present)
  [bullseye] - coreutils (Vulnerable code not present)
  [buster] - coreutils (Vulnerable code not present)
  https://www.openwall.com/lists/oss-security/2024/01/18/2
  Introduced by: coreutils/coreutils@40bf159#diff-30bc328ab3afa0ab9f17c6e7cf1752d558ae37cf4200e95bbb04c405c2b59518L821 (v9.2)
  Fixed by: coreutils/coreutils@c4c5ed8 (v9.5)

chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

---

• coreutils 9.4-1 (low; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816320)
  [bookworm] - coreutils (Minor issue)
  [bullseye] - coreutils (Minor issue)
  [buster] - coreutils (Minor issue)
  [stretch] - coreutils (Minor issue)
  [jessie] - coreutils (Minor issue)
  [wheezy] - coreutils (Minor issue)
  Restricting ioctl on the kernel side seems the better approach, but rejected by Linux upstream
  Fixing this issue via setsid() would introduce regressions:
  https://www.kernel.org/pub/linux/utils/util-linux/v2.28/v2.28-ReleaseNotes
  Since Linux 6.4.4-1 (uploaded on 23 Jul 2023), TIOCSTI is disabled on the
  kernel side, marking the first coreutils upload after that date (9.4-1) as the
  fixed version

XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases.

---

• xz-utils 5.8.1-1
  [bullseye] - xz-utils (Vulnerable code introduced later)
  https://www.openwall.com/lists/oss-security/2025/04/03/1
  https://tukaani.org/xz/threaded-decoder-early-free.html
  GHSA-6cc8-p5mm-29w2

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0.
Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

---

• xz-utils 5.6.1+really5.4.5-1
  [bookworm] - xz-utils (Vulnerable code not present)
  [bullseye] - xz-utils (Vulnerable code not present)
  [buster] - xz-utils (Vulnerable code not present)
  https://www.openwall.com/lists/oss-security/2024/03/29/4
  https://tukaani.org/xz-backdoor/
  https://boehs.org/node/everything-i-know-about-the-xz-backdoor
  https://rya.nc/xz-valid-n.html
  https://lwn.net/Articles/967192/
  https://securelist.com/xz-backdoor-story-part-1/112354/
  https://securelist.com/xz-backdoor-story-part-2-social-engineering/112476/
  https://securelist.com/xz-backdoor-part-3-hooking-ssh/113007/

DISPUTEDA failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.

---

• gcc-13 13.2.0-4 (unimportant)
• gcc-12 12.3.0-9 (unimportant)
  [bookworm] - gcc-12 12.2.0-14+deb12u1
• gcc-11 11.4.0-4 (unimportant)
• gcc-10 10.5.0-3 (unimportant)
• gcc-9 9.5.0-6 (unimportant)
• gcc-8 (unimportant)
• gcc-7 (unimportant)
  GHSA-x7ch-h5rf-w2mf
  Not considered a security issue by GCC upstream
  https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64

A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect.

---

• sqlite3 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005974)
• sqlite (unimportant)
  https://github.com/guyinatuxedo/sqlite3_record_leaking
  https://bugzilla.redhat.com/show_bug.cgi?id=2054793
  https://sqlite.org/forum/forumpost/056d557c2f8c452ed5bb9c215414c802b215ce437be82be047726e521342161e
  Negligible security impact

initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.

---

• shadow (unimportant)
  See #290803, on Debian LOG_UNKFAIL_ENAB in login.defs is set to no so
  unknown usernames are not recorded on login failures

A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that "[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all."

---

• libxml2 (unimportant)
  https://gitlab.gnome.org/GNOME/libxml2/-/issues/958
  https://gitlab.gnome.org/GNOME/libxml2/-/issues/958#note_2505853
  Issue can only be triggered with untrusted SGML, negligible security impact

GLib 2.31.8 and earlier, when the g_str_hash function is used, computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this issue may be disputed by the vendor; the existence of the g_str_hash function is not a vulnerability in the library, because callers of g_hash_table_new and g_hash_table_new_full can specify an arbitrary hash function that is appropriate for the application.

---

• glib2.0 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=655044)

OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."

---

http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf
openssl/openssl#24540
Fault injection based attacks are not within OpenSSLs threat model according
to the security policy: https://www.openssl.org/policies/general/security-policy.html

GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.

---

• gnupg2 (unimportant)
  https://bugzilla.redhat.com/show_bug.cgi?id=2127010
  https://dev.gnupg.org/D556
  https://dev.gnupg.org/T5993
  https://www.openwall.com/lists/oss-security/2022/07/04/8
  GnuPG upstream is not implementing this change.

A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.

---

• util-linux (unimportant)
  https://bugzilla.redhat.com/show_bug.cgi?id=2053151
  https://lore.kernel.org/util-linux/[email protected]/T/#u
  util-linux/util-linux@faa5a3a
  util-linux in Debian does build with readline support but chfn and chsh are provided
  by src:shadow and util-linux is configured with --disable-chfn-chsh

Buffer Overflow in hiredis 1.2.0 allows a local attacker to cause a denial of service via the sdscatlen function.

---

REJECTED

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.

---

• sun-java6 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=645881)
  [lenny] - sun-java6 (Non-free not supported)
  [squeeze] - sun-java6 (Non-free not supported)
• openjdk-6 6b23~pre11-1
• openjdk-7 7~b147-2.0-1
• iceweasel (Vulnerable code not present)
  http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/
• chromium-browser 15.0.874.106~r107270-1
  [squeeze] - chromium-browser
• lighttpd 1.4.30-1
  strictly speaking this is no lighttpd issue, but lighttpd adds a workaround
• curl 7.24.0-1
  http://curl.haxx.se/docs/adv_20120124B.html
• python2.6 2.6.8-0.1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684511)
  [squeeze] - python2.6 (Minor issue)
• python2.7 2.7.3~rc1-1
• python3.1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678998)
  [squeeze] - python3.1 (Minor issue)
• python3.2 3.2.3~rc1-1
  http://bugs.python.org/issue13885
  python3.1 is fixed starting 3.1.5
• cyassl
• gnutls26 (unimportant)
• gnutls28 (unimportant)
  No mitigation for gnutls, it is recommended to use TLS 1.1 or 1.2 which is supported since 2.0.0
• haskell-tls (unimportant)
  No mitigation for haskell-tls, it is recommended to use TLS 1.1, which is supported since 0.2
• matrixssl (low)
  [squeeze] - matrixssl (Minor issue)
  [wheezy] - matrixssl (Minor issue)
  matrixssl fix this upstream in 3.2.2
• bouncycastle 1.49+dfsg-1
  [squeeze] - bouncycastle (Minor issue)
  [wheezy] - bouncycastle (Minor issue)
  No mitigation for bouncycastle, it is recommended to use TLS 1.1, which is supported since 1.4.9
• nss 3.13.1.with.ckbi.1.88-1
  https://bugzilla.mozilla.org/show_bug.cgi?id=665814
  https://hg.mozilla.org/projects/nss/rev/7f7446fcc7ab
• polarssl (unimportant)
  No mitigation for polarssl, it is recommended to use TLS 1.1, which is supported in all releases
• tlslite
  [wheezy] - tlslite (Minor issue)
• pound 2.6-2
  Pound 2.6-2 added an anti_beast.patch to mitigate BEAST attacks.
• erlang 1:15.b-dfsg-1
  [squeeze] - erlang (Minor issue)
• asterisk 1:13.7.2dfsg-1
  [jessie] - asterisk 1:11.13.1dfsg-2+deb8u1
  [wheezy] - asterisk (Minor issue)
  [squeeze] - asterisk (Not supported in Squeeze LTS)
  http://downloads.digium.com/pub/security/AST-2016-001.html
  https://issues.asterisk.org/jira/browse/ASTERISK-24972
  patch for 11 (jessie): https://code.asterisk.org/code/changelog/asterisk?cs=f233bcd81d85626ce5bdd27b05bc95d131faf3e4
  all versions vulnerable, backport required for wheezy