Debian GNU/Linux has implemented security updates across various versions, focusing on vulnerabilities found in webkit2gtk and multiple PHP versions. The updates include the following:
- Debian GNU/Linux 8 (Jessie) ELTS:
- ELA-1385-1: Security update for php5.
- Debian GNU/Linux 9 (Stretch) ELTS:
- ELA-1384-1: Security update for php7.0.
- Debian GNU/Linux 10 (Buster) ELTS:
- ELA-1383-1: Security update for php7.3.
- Debian GNU/Linux 12 (Bookworm):
- DSA 5899-1: Security update for webkit2gtk.
1. CVE-2024-54551: Denial-of-service through web content processing.
2. CVE-2025-24208: Cross-site scripting via malicious iframes.
3. CVE-2025-24209: Crashes from processing malformed web content.
4. CVE-2025-24213: Memory corruption issues due to type confusion.
5. CVE-2025-24216: Unexpected crashes when processing malicious content.
6. CVE-2025-24264: Additional crashes from crafted web content.
7. CVE-2025-30427: Further crashes from malicious web content processing.
The update is recommended for users to protect their systems.
- Incorrect MIME types being passed, leading to validation bypass.
- HTTP header management issues that could result in request smuggling.
- Truncation of redirect locations, potentially omitting critical information and leading to denial-of-service conditions.
For further details on security advisories, users can refer to the Debian security website and the specific security tracker pages for each package. Regular updates and monitoring for newly discovered vulnerabilities are crucial for maintaining system security
- Debian GNU/Linux 8 (Jessie) ELTS:
- ELA-1385-1: Security update for php5.
- Debian GNU/Linux 9 (Stretch) ELTS:
- ELA-1384-1: Security update for php7.0.
- Debian GNU/Linux 10 (Buster) ELTS:
- ELA-1383-1: Security update for php7.3.
- Debian GNU/Linux 12 (Bookworm):
- DSA 5899-1: Security update for webkit2gtk.
WebKitGTK Vulnerabilities
The security update for webkit2gtk addresses several vulnerabilities, including:1. CVE-2024-54551: Denial-of-service through web content processing.
2. CVE-2025-24208: Cross-site scripting via malicious iframes.
3. CVE-2025-24209: Crashes from processing malformed web content.
4. CVE-2025-24213: Memory corruption issues due to type confusion.
5. CVE-2025-24216: Unexpected crashes when processing malicious content.
6. CVE-2025-24264: Additional crashes from crafted web content.
7. CVE-2025-30427: Further crashes from malicious web content processing.
The update is recommended for users to protect their systems.
PHP Vulnerabilities
The updates for php5, php7.0, and php7.3 also address multiple CVEs, primarily focused on issues related to HTTP stream handling and potential security flaws that could lead to problems such as:- Incorrect MIME types being passed, leading to validation bypass.
- HTTP header management issues that could result in request smuggling.
- Truncation of redirect locations, potentially omitting critical information and leading to denial-of-service conditions.
Recommendations
Users of Debian systems are urged to upgrade their packages for webkit2gtk and the PHP versions mentioned to mitigate the risks posed by these vulnerabilities.For further details on security advisories, users can refer to the Debian security website and the specific security tracker pages for each package. Regular updates and monitoring for newly discovered vulnerabilities are crucial for maintaining system security
Webkit2GTK and PHP updates for Debian
Debian GNU/Linux has been updated with multiple security enhancements, including updates to webkit2gtk, php5, php7.0, and php7.3:
Debian GNU/Linux 8 (Jessie) ELTS:
ELA-1385-1 php5 security update
Debian GNU/Linux 9 (Stretch) ELTS:
ELA-1384-1 php7.0 security update
Debian GNU/Linux 10 (Buster) ELTS:
ELA-1383-1 php7.3 security update
Debian GNU/Linux 12 (Bookworm):
[DSA 5899-1] webkit2gtk security update
