Debian GNU/Linux recently released security updates for several packages, specifically addressing vulnerabilities in `libapache2-mod-auth-openidc`, `openssh`, and `request-tracker4`. These updates apply to different versions of Debian: Buster (10), Bullseye (11), and Bookworm (12).
- Debian 10 (Buster):
- ELA-1418-1: A security update for `request-tracker4` was issued, fixing multiple vulnerabilities that could lead to information disclosure, cross-site scripting (XSS), and weak encryption in S/MIME emails.
- Debian 11 (Bullseye):
- DLA 4155-1: An update for `libapache2-mod-auth-openidc` addresses a vulnerability (CVE-2025-3891) that allows unauthenticated attackers to crash the Apache HTTP server when the `OIDCPreservePost` directive is enabled.
- DLA 4156-1: The `openssh` package was updated to fix a misconfiguration in the `DisableForwarding` directive, which was intended to disable X11 and agent forwarding.
- DLA 4157-1: The `request-tracker4` package also received an update to patch multiple vulnerabilities similar to those addressed in Buster.
- Debian 12 (Bookworm):
- DSA 5917-1: The `libapache2-mod-auth-openidc` package was updated to fix the same vulnerability (CVE-2025-3891) as in Bullseye, ensuring stability and security for users of this version.
For further assistance and guidance on applying these updates, users can refer to the Debian LTS wiki, which provides comprehensive instructions and answers to frequently asked questions.
Key Updates:
- Debian 10 (Buster):
- ELA-1418-1: A security update for `request-tracker4` was issued, fixing multiple vulnerabilities that could lead to information disclosure, cross-site scripting (XSS), and weak encryption in S/MIME emails.
- Debian 11 (Bullseye):
- DLA 4155-1: An update for `libapache2-mod-auth-openidc` addresses a vulnerability (CVE-2025-3891) that allows unauthenticated attackers to crash the Apache HTTP server when the `OIDCPreservePost` directive is enabled.
- DLA 4156-1: The `openssh` package was updated to fix a misconfiguration in the `DisableForwarding` directive, which was intended to disable X11 and agent forwarding.
- DLA 4157-1: The `request-tracker4` package also received an update to patch multiple vulnerabilities similar to those addressed in Buster.
- Debian 12 (Bookworm):
- DSA 5917-1: The `libapache2-mod-auth-openidc` package was updated to fix the same vulnerability (CVE-2025-3891) as in Bullseye, ensuring stability and security for users of this version.
Recommendations:
Users are strongly advised to upgrade their packages to the latest versions to mitigate potential security risks. Detailed security statuses for each package can be found on the Debian security tracker website.For further assistance and guidance on applying these updates, users can refer to the Debian LTS wiki, which provides comprehensive instructions and answers to frequently asked questions.
Conclusion:
These updates emphasize Debian's commitment to maintaining robust security practices by promptly addressing vulnerabilities across supported versions. Regularly updating software is critical for system integrity and protection against potential exploits. Users should ensure that their systems are up-to-date with the latest patches as part of their security protocolsLibapache2-Mod-Auth-OpenIDC, OpenSSH, and Request Tracker updates for Debian
Debian GNU/Linux has been updated with multiple security enhancements, encompassing libapache2-mod-auth-openidc, openssh, and request-tracker4.
Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1418-1 request-tracker4 security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4155-1] libapache2-mod-auth-openidc security update
[DLA 4156-1] openssh security update
[DLA 4157-1] request-tracker4 security update
Debian GNU/Linux 12 (Bookworm):
[DSA 5917-1] libapache2-mod-auth-openidc security updateLibapache2-Mod-Auth-OpenIDC, OpenSSH, and Request Tracker updates for Debian @ Linux Compatible
