Multiple Debian packages have been updated to address security vulnerabilities, including inetutils, openjdk-17, libuev, php7.3, taglib, zvbi, and python3.9. These updates fix issues such as authentication bypass problems, incorrect certificate validation, integer overflows, heap buffer overflows, and header injection attacks. The affected packages are listed with their versions and CVE IDs, along with recommendations to upgrade to the latest versions.
Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1619-1 inetutils security update
ELA-1621-1 taglib security update
ELA-1620-1 zvbi security update
Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1622-1 php7.3 security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4454-1] libuev security update
[DLA 4455-1] python3.9 security update
Debian GNU/Linux 12 (Bookworm):
[DSA 6110-1] openjdk-17 security update
A new version of the XanMod kernel for Debian and Ubuntu has been released. This kernel adds LLVM ThinLTO, aggressive x86_64 scheduling and networking upgrades like BBRv3 that can noticeably speed heavy I/O or compilation workloads. The kernel may break DKMS‑based drivers (NVIDIA, OpenZFS, VirtualBox/VMware), so keep the old kernel handy and be ready to reinstall or revert if needed. Install it by adding the XanMod repo, pulling in linux-xanmod and its headers, then rebooting and selecting the new entry.
The Debian project has issued multiple security advisories for Debian GNU/Linux 11 (Bullseye) LTS, including updates for php7.4, imagemagick, shapelib, taglib, zvbi, apache2, and inetutils. Each advisory reports on specific vulnerabilities found in the respective packages, including issues related to memory overflow, null pointer dereference, denial of service, and authentication bypass.
[DLA 4447-1] php7.4 security update
[DLA 4448-1] imagemagick security update
[DLA 4451-1] shapelib security update
[DLA 4450-1] taglib security update
[DLA 4449-1] zvbi security update
[DLA 4452-1] apache2 security update
[DLA 4453-1] inetutils security update
Liquorix Kernel 6.18‑8 swaps the default scheduler for Kyber/BFQ, tightens CPU timeslices to 2 ms and enables aggressive preemption, giving desktops a noticeably snappier feel at the cost of a bit more power draw. The one‑liner install script simply adds the Liquirx repo, pulls the proper .deb (or AUR) package and updates GRUB—just save the script first, glance at it, then run it with sudo. Expect minor side effects like higher fan speed on laptops, possible firmware or driver rebuilds for older GPUs/NVIDIA cards, and a small learning curve if you use systemd‑boot instead of GRUB
Steven Barrett has released Liquorix Linux Kernel 6.18-7, which fixes a performance issue affecting Project-C and includes several notable improvements for optimizing the desktop experience. The kernel features interactive tuning to prioritize responsiveness over power saving, optimized I/O and memory management, and adjusted CPUFreq control parameters for faster responsiveness when needed. Additionally, Liquorix 6.18-7 includes high-resolution scheduling, real-time system handling, and other technical enhancements, such as Budget Fair Queue support and Compressed Swap via zswap. The kernel is designed to be easily deployable on Debian, Ubuntu, or Arch Linux systems, with binary builds available through the Liquorix PPA for straightforward installation.
Debian has released several security updates, including DLA-4426-2 for osslsigncode and DLA-4446-1/ELA-1618-1 for python-urllib3. The updates fix vulnerabilities CVE-2023-36377 in osslsigncode and CVE-2026-21441 in python-urllib3, which could lead to denial-of-service attacks. Additionally, Debian Security Advisory DSA-6109-1 addresses two security issues in Incus, a system container.
Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1618-1 python-urllib3 security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4426-2] osslsigncode regression update
[DLA 4446-1] python-urllib3 security update
Debian GNU/Linux 13 (Trixie):
[DSA 6109-1] incus security update
Debian has released several security updates to address vulnerabilities in various packages. The first update, DSA-6106-1, fixes a flaw in inetutils that allows remote attackers to log in as root by bypassing normal authentication processes. Another update, DSA-6108-1, addresses a security issue in Chromium that could result in arbitrary code execution, denial of service, or information disclosure. Additionally, updates have been released for python-urllib3 and bind9 to correct regressions and vulnerabilities in these packages.
[DSA 6106-1] inetutils security update
[DSA 6108-1] chromium security update
[DSA 6102-2] python-urllib3 regression update
[DSA 6107-1] bind9 security update
Debian has released a security update for the modsecurity-crs package to address a vulnerability in the OWASP ModSecurity Core Rule Set. The issue occurs when parsing some multipart requests, which can lead to incorrect rule execution. The bug was fixed in version 3.3.4-1+deb12u1 for Debian GNU/Linux 12 (Bookworm) and version 3.3.7-1+deb13u1 for Debian GNU/Linux 13 (Trixie).
[DSA 6105-1] modsecurity-crs security update
Ondřej Surý has released updated Debian packages for PHP users, including the latest versions of PHP 8.5.2, 8.4.17, and 8.3.30. These updates address several security vulnerabilities, fix long-standing bugs, and improve efficiency and resource usage, such as clearing potential memory leaks in LDAP and Intl systems. The new packages are now available for Debian 11 (Bullseye) LTS users, Debian 12 (Bookworm), and Debian 13 (Trixie). To add the repository to your Debian installation, you can follow a series of commands listed in the text or refer to the deb.sury.org website for further details.
A vulnerability has been discovered in the OpenStack middleware package for both Debian GNU/Linux 12 (Bookworm) and 13 (Trixie), specifically in the authentication and authorization features for web services other than Keystone. If an external OAuth provider is configured, authentication headers are insufficiently sanitized, leading to potential privilege escalation or user impersonation (CVE-2026-22797). Additionally, multiple security fixes have been applied to the python3.9 package in version 3.9.2-1+deb11u4 for Debian GNU/Linux 11 (Bullseye) LTS, addressing several issues, including integer overflows, buffer overflows, and denial-of-service vulnerabilities.
[DSA 6104-1] python-keystonemiddleware security update
[DLA 4445-1] python3.9 security update
Debian has released three security updates for its Debian GNU/Linux 11 (Bullseye) LTS distribution, fixing vulnerabilities in Thunderbird (DLA-4442-1), Apache Log4j2 (DLA-4444-1), and DCMTK (DLA-4443-1). Additionally, an Extended LTS Advisory (ELA-1617-1) has been issued for Debian GNU/Linux 10 (Buster) to address two security issues in gpsd. The updates resolve a range of problems, including arbitrary code execution, memory corruption, and denial-of-service attacks.
[DLA 4442-1] thunderbird security update
[DLA 4444-1] apache-log4j2 security update
[DLA 4443-1] dcmtk security update
ELA-1617-1 gpsd security update
The Debian project has released security updates for two packages: gpsd and cjose. The gpsd package, which keeps track of GNSS or AIS receivers connected to a computer, has been updated to fix several security problems, including a serious issue that could allow unauthorized writing of data (CVE-2025-67268) and These issues have been addressed in version 3.22-4+deb11u1 of the gpsd package, which is available for Debian GNU/Linux 11 (Bullseye) LTS users. Additionally, a security update has also been released for the cjose package, which contains a fix for an AES GCM decryption routine vulnerability (CVE-2023-37464) in version 0.4.1-3+deb9u1 for Debian GNU/Linux 9 (Stretch) ELTS.
[DLA 4441-1] gpsd security update
ELA-1616-1 cjose security update
Steven Barrett has released Liquorix Linux kernel 6.18-6, which is based on the standard Linux Kernel 6.18 and designed to optimize desktop performance for multimedia and gaming workloads. The new kernel has many upgrades, like better Zen Interactive Tuning, improved I/O and memory management, quicker CPUFreq control, and extra features for better performance, such as high-resolution scheduling and real-time system handling. Liquorix is a custom-built kernel that can be used as a direct replacement for the standard kernel on Debian, Ubuntu, or Arch Linux systems, with binary builds available through their PPA. Users can easily try out the new kernel by running a script on the Liquorix website, which will handle the installation automatically via curl and bash.
Debian has released two security updates: DSA-6103-1 for Thunderbird and DSA-6102-1 for Python-urllib3 for Debian GNU/Linux 12 (Bookworm) and 13 (Trixie). These updates address multiple vulnerabilities that could result in arbitrary code execution or denial of service. Additionally, ELA-1615-1 is a security update for Tomcat 9 on Debian GNU/Linux 10 (Buster) ELTS, which fixes several security issues related to HTTP/2 connections and resource consumption. The update includes notable changes such as hardened AJP connector settings and deprecated filters, and users are advised to upgrade their packages to ensure security.
[DSA 6103-1] thunderbird security update
[DSA 6102-1] python-urllib3 security update
ELA-1615-1 tomcat9 security update
Debian has released a security update for the FFmpeg multimedia framework, addressing several vulnerabilities that could result in denial of service or potentially allow arbitrary code execution. The vulnerabilities were discovered in the HLS playlist parsing, VP9 decoder, AAC encoder, ALS audio decoder, JPEG2000 decoder, and Firequalizer filter, with some allowing remote code execution or data corruption. To fix these issues on Debian GNU/Linux 11 (Bullseye), users should upgrade their ffmpeg packages to version 7:4.3.9-0+deb11u2.
[DLA 4440-1] ffmpeg security update
Steven Barrett has released Liquorix Linux kernel 6.18-5, a custom-built kernel designed to optimize desktop experiences for multimedia and gaming workloads by tapping into performance capabilities that may not be fully utilized in default kernels. This kernel brings several notable improvements, including interactive tuning, optimized I/O and memory management, and features like high-resolution scheduling, real-time system handling, and support for Budget Fair Queue (BFQ) to manage disk I/O and keep latency in check. Liquorix 6.18-5 also includes performance enhancements such as TCP BBR2 Congestion Control and Compressed Swap using LZ4 compression to reduce memory requirements for swap. The kernel is available for Debian, Ubuntu, and Arch Linux, with binary builds tailored for stable, testing, and unstable releases, making it easy to install and use as a direct replacement for the standard kernel.
Researchers have discovered multiple security vulnerabilities in various Debian software packages, such as Firefox and Samba. Updated versions of the software have fixed these vulnerabilities, which could potentially lead to privilege escalation, denial of service, or information leaks. For example, an update for Debian's oldstable distribution fixes multiple security issues in the Mozilla Firefox web browser, while another update fixes a vulnerability in the Samba SMB/CIFS file and print server.
Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1613-1 postgresql-9.6 security update
Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1614-1 linux-6.1 security update
ELA-1611-1 samba security update
Debvian GNU/Linux 10 (Buster) Extended LTS:
ELA-1612-1 postgresql-11 security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4439-1] firefox-esr security update
Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6101-1] firefox-esr security update
Debian has released several security updates to fix vulnerabilities in various packages, including python-parsl, linux-6.1, chromium, mongo-c-driver, and gnupg2. These vulnerabilities could potentially lead to privilege escalation, denial of service, information leaks, or remote code execution (RCE). The updates have been fixed in different versions of the affected packages for Debian 9 (Stretch) ELTS, Debian 10 (Buster) ELTS, Debian 11 (Bullseye) LTS, Debian 12 (Bookworm), and Debian 13 (Trixie).
Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1610-1 gnupg2 security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4436-1] linux-6.1 security update
[DLA 4438-1] mongo-c-driver security update
[DLA 4437-1] gnupg2 security update
Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6100-1] chromium security update
Debian GNU/Linux 13 (Trixie):
[DSA 6099-1] python-parsl security update
The libidn2 library has been updated to address a vulnerability that allowed attackers to impersonate other domains, specifically through carefully crafted domain names. This update fixes CVE-2019-12290 and is available for Debian GNU/Linux 10 (Buster) ELTS. Meanwhile, a separate security issue was found in net-snmp, which could lead to denial of service or code execution. The vulnerability has been fixed in net-snmp versions 5.9.3+dfsg-2+deb12u1 for Debian GNU/Linux 12 (Bookworm) and 5.9.4+dfsg-2+deb13u1 for Debian GNU/Linux 13 (Trixie).
ELA-1609-1 libidn2 security update
[DSA 6098-1] net-snmp security update
New Debian GNU/Linux 13.3 Trixie live images for popular desktop environments are now available, allowing users to test and experiment with different setups before making a final decision. The release includes six desktop environment options: GNOME 48.4, KDE Plasma 6.3.5, Xfce 4.20, Cinnamon 6.4.10, LXQt, and LXDE, each offering unique features and customization options.
