Debian Long Term Support recently issued urgent security patches for Apache2 version 2.4.59 and OpenSSL version 1.1.1w to resolve a wave of critical flaws. The Apache update addresses twelve separate CVEs that could enable remote code execution or information leaks through privilege escalation attacks. System administrators will also want to review the OpenSSL advisory which details five distinct issues including heap buffer overflows and dangerous memory handling errors.

ELA-1754-1 apache2 security update (by )
[DLA 4630-1] openssl security update

ELA-1754-1 apache2 security update (by )

Package : apache2

Version : 2.4.59-1~deb10u9 (buster)

Related CVEs :
CVE-2026-29167
CVE-2026-29170
CVE-2026-34355
CVE-2026-34356
CVE-2026-42535
CVE-2026-42536
CVE-2026-43951
CVE-2026-44119
CVE-2026-44185
CVE-2026-44186
CVE-2026-44631
CVE-2026-48913

Multiple vulnerabilities have been discovered in the Apache HTTP server,
which may result in remote code execution, privilege escalation, denial
of service or information disclosure.

ELA-1754-1 apache2 security update (by )

[SECURITY] [DLA 4630-1] openssl security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4630-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Arnaud Rebillout
June 15, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : openssl
Version : 1.1.1w-0+deb11u8
CVE ID : CVE-2026-7383 CVE-2026-9076 CVE-2026-34180 CVE-2026-42766
CVE-2026-45447

Several vulnerabilities have been discovered in OpenSSL, a Secure Socket
Layer toolkit providing the SSL and TLS cryptographic protocols for secure
communication over the Internet.

CVE-2026-7383

A signed integer overflow when sizing the destination buffer for
Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer
overflow.

CVE-2026-9076

When CMS password-based decryption (RFC 3211 / PWRI key unwrap)
processes attacker-supplied CMS data, an attacker-chosen stream-mode
KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key().

CVE-2026-34180

Parsing a crafted DER-encoded ASN.1 structure with a primitive element
whose content exceeds 2 gigabytes in length may cause a heap buffer
over-read on 64-bit Unix and Unix-like platforms.

CVE-2026-42766

A specially crafted password-encrypted CMS message can trigger a NULL
pointer dereference during CMS decryption.

CVE-2026-45447

A specially crafted PKCS#7 or S/MIME signed message could trigger a
use-after-free during PKCS#7 signature verification.

For Debian 11 bullseye, these problems have been fixed in version
1.1.1w-0+deb11u8.

We recommend that you upgrade your openssl packages.

For the detailed security status of openssl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openssl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS