Here are the latest security advisories for the Debian Linux distribution:

• DSA-5906-1 erlang - security update
  Several vulnerabilities were discovered in the Erlang/OTP implementation of the SSH protocol, which may result in denial of service or the execution of arbitrary code. https://security-tracker.debian.org/tracker/DSA-5906-1
• DSA-5905-1 graphicsmagick - security update
  Two vulnerabilities have been discovered in GraphicsMagick, a set of ommand-line applications to manipulate image files, which may result in denial of service or the execution of arbitrary code if malformed image files are processed. https://security-tracker.debian.org/tracker/DSA-5905-1
• DSA-5904-1 libapache2-mod-auth-openidc - security update
  It was discovered that mod_auth_openidc, an OpenID Certified authentication and authorization module for the Apache HTTP server that implements the OpenID Connect Relying Party functionality, was susceptible to information disclosure in some configurations https://security-tracker.debian.org/tracker/DSA-5904-1
• DSA-5903-1 chromium - security update
  Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. https://security-tracker.debian.org/tracker/DSA-5903-1
• DSA-5902-1 perl - security update
  Nathan Mills discovered a heap-based buffer overflow vulnerability in the implementation of the Perl programming language when transliterating non-ASCII bytes with tr///, which may result in denial of service, or potentially the execution of arbitrary code. https://security-tracker.debian.org/tracker/DSA-5902-1
• DSA-5901-1 mediawiki - security update
  Multiple security issues were discovered in MediaWiki, a website engine for collaborative work, which could result in information disclosure, cross-site scripting or restriction bypass. https://security-tracker.debian.org/tracker/DSA-5901-1
• DSA-5900-1 linux - security update
  Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. https://security-tracker.debian.org/tracker/DSA-5900-1
• DSA-5899-1 webkit2gtk - security update
  The following vulnerabilities have been discovered in the WebKitGTK web engine: CVE-2024-54551 ajajfxhj discovered that processing web content may lead to a denial-of-service. CVE-2025-24208 Muhammad Zaid Ghifari and Kalimantan Utara discovered that loading a malicious iframe may lead to a cross-site scripting attack. CVE-2025-24209 Francisco Alonso and an anonymous researcher discovered that processing maliciously crafted web content may lead to an unexpected process crash. CVE-2025-24213 The Google V8 Security Team discovered that a type confusion issue could lead to memory corruption. Note that this CVE is fixed only on ARM architectures. x86_64 is not vulnerable, x86 is not vulnerable when the SSE2 instruction set is enabled; but other architectures remain vulnerable. CVE-2025-24216 Paul Bakker discovered that processing maliciously crafted web content may lead to an unexpected Safari crash. CVE-2025-24264 Gary Kwong and an anonymous researcher discovered that processing maliciously crafted web content may lead to an unexpected crash. CVE-2025-30427 rheza discovered that processing maliciously crafted web content may lead to an unexpected crash. https://security-tracker.debian.org/tracker/DSA-5899-1
• DSA-5898-1 chromium - security update
  Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. https://security-tracker.debian.org/tracker/DSA-5898-1
• DSA-5897-1 lemonldap-ng - security update
  A cross-site scripting vulnerability has been discovered in Lemonldap::NG, a Web-SSO system compatible with OpenID-Connect, CAS and SAML, when using the "Choice" module: It permits to introduce HTML code into the login page and if the default Content-Security-Policy headers have been modified, it may be possible to inject JavaScript code. https://security-tracker.debian.org/tracker/DSA-5897-1
• DSA-5896-1 trafficserver - security update
  Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service, HTTP request smuggling, cache poisoning or incomplete dropping of privileges. https://security-tracker.debian.org/tracker/DSA-5896-1
• DSA-5895-1 xz-utils - security update
  Harri K. Koskinen discovered a flaw in the multithreaded .xz decoder lzma_stream_decoder_mt in xz-utils, the XZ-format compression utilities, which may lead to denial of service (application crash) or the execution of arbitrary code. https://security-tracker.debian.org/tracker/DSA-5895-1
• DSA-5894-1 jetty9 - security update
  Jetty 9 is a Java based web server and servlet engine. Several security vulnerabilities have been discovered which may allow remote attackers to cause a denial of service by repeatedly sending crafted requests which can trigger OutofMemory errors and exhaust the server's memory. CVE-2024-6762: In addition PushSessionCacheFilter and PushCacheFilter have been deprecated. These classes should no longer be used in a production environment. https://security-tracker.debian.org/tracker/DSA-5894-1
• DSA-5893-1 tomcat10 - security update
  A security vulnerability was found in Tomcat 10, a Java based web server and servlet engine. A malicious user was able to view security sensitive files and/or inject content into those files when writes were enabled for the default servlet (disabled by default) and support for partial PUT was enabled (default). Under certain circumstances, depending on the application in use, remote code execution may have been possible. https://security-tracker.debian.org/tracker/DSA-5893-1
• DSA-5892-1 atop - security update
  It was discovered that Atop, a monitor tool for system resources and process activity, always tried to connect to the port of atopgpud (an additional daemon gathering GPU statistics not shipped in Debian) while performing insufficient sanitising of the data read from this port. With this update, additional validation is added and by default atop no longer tries to connect to the atopgpud daemon port unless explicitly enabled via -k. https://security-tracker.debian.org/tracker/DSA-5892-1
• DSA-5891-1 thunderbird - security update
  Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code. https://security-tracker.debian.org/tracker/DSA-5891-1
• DSA-5890-1 chromium - security update
  Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. https://security-tracker.debian.org/tracker/DSA-5890-1
• DSA-5889-1 firefox-esr - security update
  Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or spoofing. https://security-tracker.debian.org/tracker/DSA-5889-1
• DSA-5888-1 ghostscript - security update
  Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed. https://security-tracker.debian.org/tracker/DSA-5888-1
• DSA-5887-1 exim4 - security update
  It was discovered that a use-after-free vulnerability in Exim4, a mail transport agent, may result in privilege escalation for a local attacker. https://security-tracker.debian.org/tracker/DSA-5887-1
• More...