Debian GNU/Linux has recently released two important security updates for its Extended LTS (ELTS) versions. The updates include ELA-1492-1 for the Python package manager, python-setuptools, applicable to both Debian 9 (Stretch) and Debian 10 (Buster), and ELA-1493-1 for the libphp-adodb library, specifically for Debian 9.
1. ELA-1492-1: python-setuptools Security Update
- Affected Versions:
- Debian 9 (Stretch): 33.1.1-1+deb9u1
- Debian 10 (Buster): 40.8.0-1+deb10u1
- Related CVEs:
- CVE-2022-40897: This vulnerability involves a Regular Expression Denial of Service (ReDoS) in the package_index.py file.
- CVE-2024-6345: A severe issue in the package_index module where remote code execution could occur due to vulnerabilities in the download functions, especially when handling user-controlled input for package URLs.
- CVE-2025-47273: A path traversal vulnerability that could allow an attacker to write files to arbitrary locations on the filesystem, potentially leading to remote code execution based on the privileges of the running process.
2. ELA-1493-1: libphp-adodb Security Update
- Affected Version:
- Debian 9 (Stretch): 5.20.9-1+deb9u2
- Related CVEs:
- CVE-2025-46337: Addresses a SQL injection vulnerability found in the PostgreSQL driver of the ADOdb database access library for PHP.
Details of the Security Updates:
1. ELA-1492-1: python-setuptools Security Update
- Affected Versions:
- Debian 9 (Stretch): 33.1.1-1+deb9u1
- Debian 10 (Buster): 40.8.0-1+deb10u1
- Related CVEs:
- CVE-2022-40897: This vulnerability involves a Regular Expression Denial of Service (ReDoS) in the package_index.py file.
- CVE-2024-6345: A severe issue in the package_index module where remote code execution could occur due to vulnerabilities in the download functions, especially when handling user-controlled input for package URLs.
- CVE-2025-47273: A path traversal vulnerability that could allow an attacker to write files to arbitrary locations on the filesystem, potentially leading to remote code execution based on the privileges of the running process.
2. ELA-1493-1: libphp-adodb Security Update
- Affected Version:
- Debian 9 (Stretch): 5.20.9-1+deb9u2
- Related CVEs:
- CVE-2025-46337: Addresses a SQL injection vulnerability found in the PostgreSQL driver of the ADOdb database access library for PHP.
Importance of the Updates:
These updates are crucial for maintaining the security and integrity of Debian systems by patching known vulnerabilities that could be exploited by attackers. Users and administrators are strongly advised to apply these updates promptly to mitigate potential security risks.Recommendations:
To enhance security, users should regularly check for updates, review security advisories, and utilize secure coding practices when developing applications that rely on these packages. Additionally, keeping track of related CVEs can help in understanding the security landscape and preparing for potential threatsPython-Setuptools and Libphp-Abodb updates for Debian ELTS
Debian GNU/Linux has been updated with two security patches: ELA-1492-1 for python-setuptools for both Debian 9 and 10 ELTS and ELA-1493-1 for libphp-adodb for Debian 9 ELTS.
ELA-1492-1 python-setuptools security update
ELA-1493-1 libphp-adodb security updatePython-Setuptools and Libphp-Abodb updates for Debian ELTS @ Linux Compatible
