Debian GNU/Linux has recently released security updates for the ICU and CJSON packages, impacting various versions of the operating system including Jessie (8), Stretch (9), Buster (10), and Bullseye (11).
For the Extended Long Term Support (LTS) versions (Jessie, Stretch, and Buster), the security update for ICU is identified as ELA-1461-1. The update addresses a critical stack-based buffer overflow vulnerability identified by CVE-2025-5222, which affects the ICU library, a C++ and C implementation used for Unicode and Globalization support. Users are strongly advised to upgrade their ICU packages accordingly.
For Debian 11 (Bullseye), two separate security advisories have been issued: DLA-4217-1 for ICU and DLA-4216-1 for CJSON. The ICU update resolves the same buffer overflow issue (CVE-2025-5222) and has been patched in version 67.1-7+deb11u1. Similarly, the CJSON update addresses two vulnerabilities, CVE-2023-26819, which relates to the rejection of valid JSON texts, and CVE-2023-53154, a heap buffer overflow issue. This update is available in version 1.7.14-1+deb11u2.
Users of Debian are encouraged to upgrade their systems to ensure they are protected against these vulnerabilities. For detailed information regarding security status and the steps to apply these updates, users can refer to the Debian security tracker pages for ICU and CJSON as well as the Debian LTS Wiki.
In summary, maintaining up-to-date software is crucial for system security, and Debian's proactive measures in releasing these updates demonstrate their commitment to user safety. Users should regularly check for updates and apply them promptly to safeguard their systems against potential threats
For the Extended Long Term Support (LTS) versions (Jessie, Stretch, and Buster), the security update for ICU is identified as ELA-1461-1. The update addresses a critical stack-based buffer overflow vulnerability identified by CVE-2025-5222, which affects the ICU library, a C++ and C implementation used for Unicode and Globalization support. Users are strongly advised to upgrade their ICU packages accordingly.
For Debian 11 (Bullseye), two separate security advisories have been issued: DLA-4217-1 for ICU and DLA-4216-1 for CJSON. The ICU update resolves the same buffer overflow issue (CVE-2025-5222) and has been patched in version 67.1-7+deb11u1. Similarly, the CJSON update addresses two vulnerabilities, CVE-2023-26819, which relates to the rejection of valid JSON texts, and CVE-2023-53154, a heap buffer overflow issue. This update is available in version 1.7.14-1+deb11u2.
Users of Debian are encouraged to upgrade their systems to ensure they are protected against these vulnerabilities. For detailed information regarding security status and the steps to apply these updates, users can refer to the Debian security tracker pages for ICU and CJSON as well as the Debian LTS Wiki.
In summary, maintaining up-to-date software is crucial for system security, and Debian's proactive measures in releasing these updates demonstrate their commitment to user safety. Users should regularly check for updates and apply them promptly to safeguard their systems against potential threats
ICU and CJSON updates for Debian
Debian GNU/Linux has received security updates for ICU and CJSON:
Debian GNU/Linux 8 (Jessie), 9 (Stretch), and 10 (Buster) Extended LTS:
ELA-1461-1 icu security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4217-1] icu security update
[DLA 4216-1] cjson security update
