Debian released security advisories for asterisk, phpseclib, and roundcube to address critical flaws. The asterisk update addresses several severe flaws including XSS vulnerabilities in the status page and privilege escalation risks within core dumper files. Crucially, the phpseclib package receives essential updates for TLS certificate confusion and timing attacks while roundcube patches numerous flaws involving SSRF and HTML sanitization bypasses.

Debian GNU/Linux 10 (Buster) ELTS:
ELA-1671-1 phpseclib security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4515-1] asterisk security update
[DLA 4518-1] phpseclib security update
[DLA 4517-1] roundcube security update

[SECURITY] [DLA 4515-1] asterisk security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4515-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Lukas Märdian
March 29, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : asterisk
Version : 1:16.28.0~dfsg-0+deb11u9
CVE ID : CVE-2026-23738 CVE-2026-23739 CVE-2026-23740 CVE-2026-23741
Debian Bug : 1127438

Multiple vulnerabilities were discovered in asterisk, an Open Source Private
Branch Exchange (PBX) and telephony toolkit.

CVE-2026-23738

XSS vulnerability in the /httpstatus page. Cookie names/values and GET
parameter names/values are rendered without HTML-escaping, allowing
reflected cross-site scripting attacks. The status page is now also
disabled by default.

CVE-2026-23739

XXE injection vulnerability in xml.c. The XML parsing functions allow
external entity processing which can be exploited for XML External Entity
injection attacks via network-based entity resolution.

CVE-2026-23740

Privilege escalation via ast_coredumper gdbinit file permissions. The
script creates temporary files with default umask permissions, potentially
allowing local users to read or tamper with sensitive debugging data.

CVE-2026-23741

Privilege escalation via ast_coredumper sourcing configuration files
without ownership or permission checks. When running as root, a non-root
user could place a malicious config file that gets sourced with root
privileges.

For Debian 11 bullseye, these problems have been fixed in version
1:16.28.0~dfsg-0+deb11u9.

We recommend that you upgrade your asterisk packages.

For the detailed security status of asterisk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/asterisk

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

ELA-1671-1 phpseclib security update

Package : phpseclib
Version : 1.0.19-3~deb10u4 (buster)

Related CVEs :
CVE-2023-52892
CVE-2026-32935

Two vulnerabilities were discovered in phpseclib, a PHP Secure
Communications Library.

CVE-2023-52892
Some characters in Subject Alternative Name fields in TLS
certificates were incorrectly allowed to have a special meaning
in regular expressions, leading to name confusion in X.509
certificate host verification.

CVE-2026-32935
The AES-CBC implementation was susceptible to a padding oracle
timing attack due to the use of a short-circuiting logical
operator in the unpadding function.

ELA-1671-1 phpseclib security update

[SECURITY] [DLA 4518-1] phpseclib security update

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4518-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
March 30, 2026 https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package : phpseclib
Version : 1.0.19-3+deb11u3
CVE ID : CVE-2023-52892 CVE-2026-32935

Two vulnerabilities were discovered in phpseclib, a PHP Secure
Communications Library.

CVE-2023-52892

Some characters in Subject Alternative Name fields in TLS
certificates were incorrectly allowed to have a special meaning
in regular expressions, leading to name confusion in X.509
certificate host verification.

CVE-2026-32935

The AES-CBC implementation was susceptible to a padding oracle
timing attack due to the use of a short-circuiting logical
operator in the unpadding function.

For Debian 11 bullseye, these problems have been fixed in version
1.0.19-3+deb11u3.

We recommend that you upgrade your phpseclib packages.

For the detailed security status of phpseclib please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/phpseclib

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4517-1] roundcube security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4517-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
March 30, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : roundcube
Version : 1.4.15+dfsg.1-1+deb11u8
CVE ID : not yet available
Debian Bug : 1131182 1132268

Multiple vulnerabilities were discovered in Roundcube, a skinnable AJAX
based webmail solution for IMAP servers, which might lead to information
disclosure or privilege escalation.

* Georgios Tsimpidas discovered an Server-side request forgery (SSRF)
vulnerability via stylesheet links to a local network hosts.
* An IMAP injection and CSRF bypass vulnerability was found within the
email search logic.
* It was discovered that one could change password without providing
the old one in some situations.
* NULL CATHEDRAL discovered that the HTML sanitizer doesn't sanitize
image sources in SVG `` attributes. This allows attackers
to bypass remote image blocking to track email open action or
potentially bypass access control.
* NULL CATHEDRAL discovered that the HTML sanitizer doesn't sanitize
`` attributes. This allows attackers to bypass
remote image blocking to track email open action or potentially
bypass access control.
* NULL CATHEDRAL discovered that the CSS sanitizer doesn't convert
`position: fixed` `position: absolute` when `!important` is used.
This allows an attacker to mask the Roundcube UI with a fake "session
expired" page and trick the user into an attacker-controlled login
page.
* It was discovered that the HTML sanitizer doesn't sanitize image
sources in SVG `` attributes via fill/filter/stroke. This
allows attackers to bypass remote image blocking to track email open
action or potentially bypass access control.
* A Cross-site scripting (XSS) vulnerability was found in the HTML
attachment preview.

CVE IDs have been requested but have not been assigned yet.

For Debian 11 bullseye, this problem has been fixed in version
1.4.15+dfsg.1-1+deb11u8.

We recommend that you upgrade your roundcube packages.

For the detailed security status of roundcube please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/roundcube

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS