[DLA 4620-1] apache2 security update
ELA-1752-1 apache2 security update
[DLA 4621-1] glibc security update
[DSA 6327-1] request-tracker4 security update
[DSA 6326-1] nginx security update
[DSA 6325-1] chromium security update
[SECURITY] [DLA 4620-1] apache2 security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4620-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
June 07, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : apache2
Version : 2.4.67-1~deb11u2
CVE ID : CVE-2026-49975
Debian Bug : 1138750
It was discovered that incorrect cookie header accounting in the HTTP/2
implementation of the Apache HTTP server may result in denial of service
(excessive resources consumption).
For Debian 11 bullseye, this problem has been fixed in version
2.4.67-1~deb11u2.
We recommend that you upgrade your apache2 packages.
For the detailed security status of apache2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/apache2
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1752-1 apache2 security update (by )
Package : apache2
Version : 2.4.25-3+deb9u24 (stretch), 2.4.59-1~deb10u8 (buster)
Related CVEs :
CVE-2026-49975
It was discovered that incorrect cookie header accounting in the HTTP/2
implementation of the Apache HTTP server may result in denial of service
(excessive resources consumption).ELA-1752-1 apache2 security update (by )
[SECURITY] [DLA 4621-1] glibc security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4621-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Arnaud Rebillout
June 08, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : glibc
Version : 2.31-13+deb11u14
CVE ID : CVE-2025-8058 CVE-2025-15281 CVE-2026-0861 CVE-2026-0915
CVE-2026-4046
Debian Bug : 1109803 1125678 1125748 1126266 1132499
Several vulnerabilities have been discovered in the GNU C Library, the C
standard library implementation used by Debian.
CVE-2025-8058
posix: Fix double-free after allocation failure in regcomp
The regcomp function in the GNU C library version from 2.4 to 2.41 is
subject to a double free if some previous allocation fails. It can be
accomplished either by a malloc failure or by using an interposed
malloc that injects random malloc failures. The double free can allow
buffer manipulation depending of how the regex is constructed. This
issue affects all architectures and ABIs supported by the GNU C
library.
CVE-2025-15281
posix: Reset wordexp_t fields with WRDE_REUSE
Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the
GNU C Library version 2.0 to version 2.42 may cause the interface to
return uninitialized memory in the we_wordv member, which on
subsequent calls to wordfree may abort the process.
CVE-2026-0861
memalign: reinstate alignment overflow check
Passing too large an alignment to the memalign suite of functions
(memalign, posix_memalign, aligned_alloc) in the GNU C Library version
2.30 to 2.42 may result in an integer overflow, which could
consequently result in a heap corruption. Note that the attacker must
have control over both, the size as well as the alignment arguments of
the memalign function to be able to exploit this. The size parameter
must be close enough to PTRDIFF_MAX so as to overflow size_t along
with the large alignment argument. This limits the malicious inputs
for the alignment for memalign to the range [1
