Several Debian security bulletins released address critical flaws in widely deployed software including Apache HTTP Server, PHP versions 8.2 and 8.4, Firefox ESR, the Linux kernel, Postorius, and Little CMS. These vulnerabilities could allow malicious actors to execute arbitrary code, escalate system privileges, crash services, or expose sensitive information. Each advisory lists exact version numbers for various Debian releases alongside older stable distributions that require immediate patching. Administrators ought to prioritize these installations right away since the combined threat landscape remains quite active across multiple platforms.

[DLA 4571-1] apache2 security update
[DSA 6257-1] postorius security update
[DSA 6256-1] php8.4 security update
[DSA 6255-1] php8.2 security update
[DLA 4572-1] linux security update
[DSA 6254-1] firefox-esr security update
[DSA 6253-1] linux security update
ELA-1713-1 linux-5.10 security update
ELA-1709-1 lcms2 security update

[SECURITY] [DLA 4571-1] apache2 security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4571-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
May 08, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : apache2
Version : 2.4.67-1~deb11u1
CVE ID : CVE-2026-24072 CVE-2026-29169 CVE-2026-33006
CVE-2026-33007 CVE-2026-33523 CVE-2026-33857 CVE-2026-34032
CVE-2026-34059
Debian Bug : 1135737

Multiple vulnerabilities have been discovered in the Apache HTTP server,
which may result in remote code execution, privilege escalation, denial
of service or information disclosure.

For Debian 11 bullseye, these problems have been fixed in version
2.4.67-1~deb11u1.

We recommend that you upgrade your apache2 packages.

For the detailed security status of apache2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/apache2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6257-1] postorius security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6257-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 08, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : postorius
CVE ID : CVE-2026-44742

A cross-site scripting vulnerability was discovered in Postorius, the
administrative web frontend for Mailman 3.

For the oldstable distribution (bookworm), this problem has been fixed
in version 1.3.8-3+deb12u1.

For the stable distribution (trixie), this problem has been fixed in
version 1.3.13-1+deb13u1.

We recommend that you upgrade your postorius packages.

For the detailed security status of postorius please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/postorius

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6256-1] php8.4 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6256-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 08, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : php8.4
CVE ID : CVE-2025-14179 CVE-2026-6104 CVE-2026-6722 CVE-2026-6735
CVE-2026-7258 CVE-2026-7259 CVE-2026-7261 CVE-2026-7262
CVE-2026-7263 CVE-2026-7568

Multiple security issues were found in PHP, a widely-used open source
general purpose scripting language which could result in denial of
service, SQL injection, cross-site scripting, information disclosure
or the execution of arbitrary code.

For the stable distribution (trixie), these problems have been fixed in
version 8.4.21-1~deb13u1.

We recommend that you upgrade your php8.4 packages.

For the detailed security status of php8.4 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php8.4

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6255-1] php8.2 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6255-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 08, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : php8.2
CVE ID : CVE-2025-14179 CVE-2026-6722 CVE-2026-6735 CVE-2026-7258
CVE-2026-7259 CVE-2026-7261 CVE-2026-7262 CVE-2026-7568

Multiple security issues were found in PHP, a widely-used open source
general purpose scripting language which could result in denial of
service, SQL injection, cross-site scripting or the execution of
arbitrary code.

For the oldstable distribution (bookworm), these problems have been fixed
in version 8.2.31-1~deb12u1.

We recommend that you upgrade your php8.2 packages.

For the detailed security status of php8.2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php8.2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4572-1] linux security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4572-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Ben Hutchings
May 08, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : linux
Version : 5.10.251-4
CVE ID : CVE-2026-43284 CVE-2026-43500

Two vulnerabilities have been discovered in the Linux kernel that may
lead to local privilege escalation.

For Debian 11 bullseye, these problems have been fixed in version
5.10.251-4.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/linux

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6254-1] firefox-esr security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6254-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 08, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : firefox-esr
CVE ID : CVE-2026-8090 CVE-2026-8092 CVE-2026-8094

Multiple security issues have been found in the Mozilla Firefox
web browser, which could potentially result in the execution
of arbitrary code.

For the oldstable distribution (bookworm), these problems have been fixed
in version 140.10.2esr-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 140.10.2esr-1~deb13u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6253-1] linux security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6253-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 08, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : linux
CVE ID : CVE-2025-38584 CVE-2026-23468 CVE-2026-31419 CVE-2026-31709
CVE-2026-31715 CVE-2026-43284 CVE-2026-43500

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

For the stable distribution (trixie), these problems have been fixed in
version 6.12.86-1.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

ELA-1713-1 linux-5.10 security update (by )

Package : linux-5.10
Version : 5.10.251-4~deb9u1 (stretch), 5.10.251-4~deb10u1 (buster)

Related CVEs :
CVE-2026-43284
CVE-2026-43500

Two vulnerabilities have been discovered in the Linux kernel that may
lead to local privilege escalation.

ELA-1713-1 linux-5.10 security update (by )

ELA-1709-1 lcms2 security update (by )

Package : lcms2

Version : 2.8-4+deb9u2 (stretch), 2.9-3+deb10u1 (buster)

Related CVEs :
CVE-2026-41254

An integer overflow issue was discovered in Little CMS.

ELA-1709-1 lcms2 security update (by )