Apache, ImageMagick, OpenJDK updates for Debian

Debian 10756 Published by

Multiple security updates have been released for Debian GNU/Linux for various packages, including openjdk-11, openjdk-17, imagemagick, and apache2. The updates address several vulnerabilities that could result in incorrect certificate validation, CRLF injection, man-in-the-middle attacks, denial of service, or potentially the execution of arbitrary code.

Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1626-1 apache2 security update

Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1624-1 imagemagick security update

Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1623-1 openjdk-11 security update
ELA-1625-1 apache2 security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4457-1] openjdk-11 security update
[DLA 4456-1] openjdk-17 security update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6111-1] imagemagick security update

Debian GNU/Linux 13 (Trixie):
[DSA 6112-1] openjdk-21 security update



[SECURITY] [DLA 4457-1] openjdk-11 security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4457-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
January 26, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : openjdk-11
Version : 11.0.30+7-1~deb11u1
CVE ID : CVE-2026-21925 CVE-2026-21932 CVE-2026-21933 CVE-2026-21945

Several vulnerabilities have been discovered in the OpenJDK Java
runtime, which may result in incorrect certificate validation,
CRLF injection or man-in-the-middle attacks.

For Debian 11 bullseye, these problems have been fixed in version
11.0.30+7-1~deb11u1.

We recommend that you upgrade your openjdk-11 packages.

For the detailed security status of openjdk-11 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-11

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 4456-1] openjdk-17 security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4456-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
January 26, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : openjdk-17
Version : 17.0.18+8-1~deb11u1
CVE ID : CVE-2026-21925 CVE-2026-21932 CVE-2026-21933 CVE-2026-21945

Several vulnerabilities have been discovered in the OpenJDK Java
runtime, which may result in incorrect certificate validation,
CRLF injection or man-in-the-middle attacks.

For Debian 11 bullseye, these problems have been fixed in version
17.0.18+8-1~deb11u1.

We recommend that you upgrade your openjdk-17 packages.

For the detailed security status of openjdk-17 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-17

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1624-1 imagemagick security update


Package : imagemagick
Version : 8:6.9.7.4+dfsg-11+deb9u25 (stretch), 8:6.9.10.23+dfsg-2.1+deb10u14 (buster)

Related CVEs :
CVE-2026-23874
CVE-2026-23876
CVE-2026-23952

Multiple vulnerabilities were fixed in imagemagick an image manipulation
software suite.

CVE-2026-23874
A stack overflow was found via infinite recursion in
MSL (Magick Scripting Language) `` command when
writing to MSL format.

CVE-2026-23876
A heap buffer overflow vulnerability was found in the XBM
image decoder (ReadXBMImage) allows an attacker to write
controlled data past the allocated heap buffer when
processing a maliciously crafted image file.
Any operation that reads or identifies an image can
trigger the overflow, making it exploitable via common
image upload and processing pipelines.

CVE-2026-23952
NULL pointer dereference was found in MSL parser via
tag before image load


ELA-1624-1 imagemagick security update



ELA-1623-1 openjdk-11 security update


Package : openjdk-11
Version : 11.0.30+7-1~deb10u1 (buster)

Related CVEs :
CVE-2026-21925
CVE-2026-21932
CVE-2026-21933
CVE-2026-21945

Several vulnerabilities have been discovered in the OpenJDK Java
runtime, which may result in incorrect certificate validation,
CRLF injection or man-in-the-middle attacks.


ELA-1623-1 openjdk-11 security update



ELA-1625-1 apache2 security update


Package : apache2
Version : 2.4.59-1~deb10u6 (buster)

Related CVEs :
CVE-2025-55753
CVE-2025-58098
CVE-2025-65082
CVE-2025-66200

Multiple vulnerabilities were fixed in apache HTTPD server,
a popular webserver.

CVE-2025-55753
Update mod_md to v2.6.6

An integer overflow was found. In the case of failed ACME certificate
renewal leads, after a number of failures (~30 days in default
configurations), to the backoff timer becoming 0. Attempts to renew
the certificate then are repeated without delays until it succeeds

CVE-2025-58098
Apache HTTP Server with Server Side Includes (SSI) enabled
and mod_cgid (but not mod_cgi) passes the shell-escaped
query string to #exec cmd="..." directives

CVE-2025-65082
Improper Neutralization of Escape, Meta, or Control Sequences
vulnerability was found in Apache HTTP Server through
environment variables set via the Apache configuration
unexpectedly superseding variables calculated
by the server for CGI programs

CVE-2025-66200
A mod_userdir+suexec bypass vulnerability via AllowOverride FileInfo was
found in Apache HTTP Server. Users with access to use the RequestHeader directive
in htaccess can cause some CGI scripts to run under an unexpected userid.


ELA-1625-1 apache2 security update



[SECURITY] [DSA 6112-1] openjdk-21 security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-6112-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 27, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openjdk-21
CVE ID : CVE-2026-21925 CVE-2026-21932 CVE-2026-21933
CVE-2026-21945

Several vulnerabilities have been discovered in the OpenJDK Java
runtime, which may result in incorrect certificate validation, CRLF
injection or man-in-the-middle attacks.

For the stable distribution (trixie), these problems have been fixed in
version 21.0.10+7-1~deb13u1.

We recommend that you upgrade your openjdk-21 packages.

For the detailed security status of openjdk-21 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-21

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[SECURITY] [DSA 6111-1] imagemagick security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-6111-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 26, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : imagemagick
CVE ID : CVE-2026-23874 CVE-2026-23876 CVE-2026-23952 CVE-2026-22770

This update fixes multiple vulnerabilities in Imagemagick, which could
result in denial of service via MSL scripts or potentially the execution
of arbitrary code if malformed XBM images are processed.

For the oldstable distribution (bookworm), these problems have been fixed
in version 8:6.9.11.60+dfsg-1.6+deb12u6.

For the stable distribution (trixie), these problems have been fixed in
version 8:7.1.1.43+dfsg1-1+deb13u5.

We recommend that you upgrade your imagemagick packages.

For the detailed security status of imagemagick please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/imagemagick

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


ELA-1626-1 apache2 security update


Package : apache2
Version : 2.4.25-3+deb9u22 (stretch)

Related CVEs :
CVE-2025-58098
CVE-2025-65082
CVE-2025-66200

Multiple vulnerabilities were fixed in apache HTTPD server,
a popular webserver.

CVE-2025-58098
Apache HTTP Server with Server Side Includes (SSI) enabled
and mod_cgid (but not mod_cgi) passes the shell-escaped
query string to #exec cmd="..." directives

CVE-2025-65082
Improper Neutralization of Escape, Meta, or Control Sequences
vulnerability was found in Apache HTTP Server through
environment variables set via the Apache configuration
unexpectedly superseding variables calculated
by the server for CGI programs

CVE-2025-66200
A mod_userdir+suexec bypass vulnerability via AllowOverride FileInfo was
found in Apache HTTP Server. Users with access to use the RequestHeader directive
in htaccess can cause some CGI scripts to run under an unexpected userid.


ELA-1626-1 apache2 security update


GNU Screen, Form-Data, Git LFS, cJSON updates for Ubuntu

Commons-BeanUtils, Asterisk, GIMP, Vim, Inetutils updates for Gentoo

Windows

Linux

macOS

Community

  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...
  • StephanX
    Hi friends, i am new in the Linux universe but i try to ...