Debian GNU/Linux 10 (Buster) ELTS:
ELA-1678-1 bind9 security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4524-1] postgresql-13 security update
[DLA 4525-1] libyaml-syck-perl security update
Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6204-1] openssh security update
[SECURITY] [DLA 4524-1] postgresql-13 security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4524-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Jochen Sprickerhof
April 08, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : postgresql-13
Version : 13.23-0+deb11u2
CVE ID : CVE-2026-2003 CVE-2026-2004 CVE-2026-2005 CVE-2026-2006
Debian Bug :
Multiple vulnerabilities were fixed in PostgreSQL, a popular database.
CVE-2026-2003
Fix CVE-2026-2003: Improper validation of type "oidvector" in PostgreSQL
allows a database user to disclose a few bytes of server memory. We have
not ruled out viability of attacks that arrange for presence of
confidential information in disclosed bytes, but they seem unlikely.
CVE-2026-2004
Fix CVE-2026-2004: Missing validation of type of input in PostgreSQL
intarray extension selectivity estimator function allows an object creator
to execute arbitrary code as the operating system user running the
database.
CVE-2026-2005
Fix CVE-2026-2005: Heap buffer overflow in PostgreSQL pgcrypto allows a
ciphertext provider to execute arbitrary code as the operating system user
running the database.
CVE-2026-2006
Fix CVE-2026-2006: Missing validation of multibyte character length in
PostgreSQL text manipulation allows a database user to issue crafted
queries that achieve a buffer overrun. That suffices to execute arbitrary
code as the operating system user running the database.
For Debian 11 bullseye, these problems have been fixed in version
13.23-0+deb11u2.
We recommend that you upgrade your postgresql-13 packages.
For the detailed security status of postgresql-13 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/postgresql-13
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 6204-1] openssh security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6204-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
April 09, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : openssh
CVE ID : CVE-2026-3497
Debian Bug : 1130595
Jeremy Brown discovered a flaw in the GSSAPI Key Exchange patch applied
in Debian to OpenSSH, an implementation of the SSH protocol suite,
affecting non-default configurations with the GSSAPIKeyExchange setting
enabled. A remote attacker can take advantage of this flaw to cause a
denial of service, or potentially the execution of arbitrary code.
For the oldstable distribution (bookworm), this problem has been fixed
in version 1:9.2p1-2+deb12u9. This update includes fixes for
CVE-2025-61984 and CVE-2025-61985 which were queued for the Debian
bookworm 12.14 point release.
For the stable distribution (trixie), this problem has been fixed in
version 1:10.0p1-7+deb13u2.
We recommend that you upgrade your openssh packages.
For the detailed security status of openssh please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/openssh
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DLA 4525-1] libyaml-syck-perl security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4525-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andrej Shadura
April 09, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : libyaml-syck-perl
Version : 1.34-1+deb11u1
CVE ID : CVE-2025-11683 CVE-2026-4177
Brief introduction
CVE-2025-11683
Missing null terminators in token.c leads to but-of-bounds read
which allows adjacent variable to be read. The issue is seen with
complex YAML files with a hash of all keys and empty values.
CVE-2026-4177
Several security vulnerabilities including a high-severity heap
buffer overflow in the YAML emitter. The heap overflow occurs when
class names exceed the initial 512-byte allocation. The base64
decoder could read past the buffer end on trailing newlines. strtok
mutated n->type_id in place, corrupting shared node data. A memory
leak occurred in syck_hdlr_add_anchor when a node already had an
anchor. The incoming anchor string 'a' was leaked on early return.
For Debian 11 bullseye, these problems have been fixed in version
1.34-1+deb11u1.
We recommend that you upgrade your libyaml-syck-perl packages.
For the detailed security status of libyaml-syck-perl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libyaml-syck-perl
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1678-1 bind9 security update
Package : bind9
Version : 1:9.11.37+git20260204.fcafb2d+dfsg-0~deb10u1 (buster)
Related CVEs :
CVE-2025-40778
bind9 a popular name server was affected by a vulnerability.
Under certain circumstances, BIND is too lenient when accepting records from answers,
allowing an attacker to inject forged data into the cache (cache poisoning).
Security fixes needed to update isc-dhcp and bind-dyndb-ldap packages.ELA-1678-1 bind9 security update
