A batch of Debian security advisories addresses serious vulnerabilities in popular packages including inetutils and webkit2gtk alongside a version upgrade for clamav. Specific flaws allow attackers to escalate privileges or cause process crashes through malicious network inputs and crafted web content. Memory corruption risks within libyaml-syck-perl and the gdk-pixbuf image loader also require immediate attention from system administrators. Upgrading these packages is essential because leaving them unpatched exposes systems to potential remote code execution or denial of service attacks.

Debian GNU/Linux 9 (Stretch) ELTS:
ELA-1680-1 clamav new upstream version

Debian GNU/Linux 9 (Stretch) and 10 (Buster) ELTS:
ELA-1679-1 libyaml-syck-perl security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4527-1] inetutils security update
[DLA 4528-1] webkit2gtk security update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6206-1] gdk-pixbuf security update

[SECURITY] [DLA 4527-1] inetutils security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4527-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andreas Henriksson
April 11, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : inetutils
Version : 2:2.0-1+deb11u4
CVE ID : CVE-2026-28372 CVE-2026-32746 CVE-2026-32772
Debian Bug : 1130741 1130742

Several vulnerabilities were discovered in the inetutils implementation
of telnetd and telnet, which may result in privilege escalation or
information disclosure.

CVE-2026-28372

Ron Ben Yizhak from SafeBreach found that the fix for CVE-2026-24061 was
not complete and can be exploited by abusing systemd service credentials
support added to the login(1) implementation of util-linux in release 2.40.

While Debian bullseye does not include util-linux 2.40 this problem does
thus not affect it, but was still addressed in case someone manually
updates util-linux and thus exposes this vulnerability.

CVE-2026-32746

Adiel Sol, Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg, Daniel Lubel
of DREAM Security Research Team found that the telnetd server has a buffer
overflow in the LINEMODE SLC (Set Local Characters) suboption handler.
This can lead to potential pre-login remote code execution.

CVE-2026-32772

Justin Swartz discovered that telnet allows servers to read arbitrary
environment variables from clients via NEW_ENVIRON SEND USERVAR.
This can lead to information disclosure.

For Debian 11 bullseye, these problems have been fixed in version
2:2.0-1+deb11u4.

We recommend that you upgrade your inetutils packages.

For the detailed security status of inetutils please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/inetutils

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

ELA-1680-1 clamav new upstream version

Package : clamav
Version : 1.4.3+dfsg-1~deb9u1 (stretch)

The 1.0 version of ClamAV, an anti-virus utility for Unix, had recently
been discontinued upstream, and was set to no longer accept signature
updates on November 28, 2026. This update brings ClamAV 1.4 to stretch,
extending the upstream support.

ELA-1680-1 clamav new upstream version

ELA-1679-1 libyaml-syck-perl security update

Package : libyaml-syck-perl

Version : 1.31-1+deb10u1 (buster), 1.29-1+deb9u1 (stretch)

Related CVEs :
CVE-2025-11683
CVE-2026-4177

CVE-2025-11683
Missing null terminators in token.c leads to but-of-bounds read
which allows adjacent variable to be read. The issue is seen with
complex YAML files with a hash of all keys and empty values.

CVE-2026-4177
Several security vulnerabilities including a high-severity heap
buffer overflow in the YAML emitter. The heap overflow occurs when
class names exceed the initial 512-byte allocation. The base64
decoder could read past the buffer end on trailing newlines. strtok
mutated n->type_id in place, corrupting shared node data. A memory
leak occurred in syck_hdlr_add_anchor when a node already had an
anchor. The incoming anchor string 'a' was leaked on early return.

ELA-1679-1 libyaml-syck-perl security update

[SECURITY] [DLA 4528-1] webkit2gtk security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4528-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
April 11, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : webkit2gtk
Version : 2.50.6-1~deb11u1
CVE ID : CVE-2025-43214 CVE-2025-43457 CVE-2025-43511 CVE-2026-20608
CVE-2026-20635 CVE-2026-20636 CVE-2026-20644 CVE-2026-20652
CVE-2026-20676

The following vulnerabilities have been discovered in the WebKitGTK
web engine:

CVE-2025-43214

shandikri discovered that processing maliciously crafted web
content may lead to an unexpected process crash.

CVE-2025-43457

Gary Kwong and Hossein Lotfi discovered that processing
maliciously crafted web content may lead to an unexpected process
crash.

CVE-2025-43511

Lee Dong Ha discovered that processing maliciously crafted web
content may lead to an unexpected process crash.

CVE-2026-20608

HanQing and Nan Wang discovered that processing maliciously
crafted web content may lead to an unexpected process crash.

CVE-2026-20635

EntryHi discovered that processing maliciously crafted web content
may lead to an unexpected process crash.

CVE-2026-20636

EntryHi discovered that processing maliciously crafted web content
may lead to an unexpected process crash.

CVE-2026-20644

HanQing and Nan Wang discovered that processing maliciously
crafted web content may lead to an unexpected process crash.

CVE-2026-20652

Nathaniel Oh discovered that a remote attacker may be able to
cause a denial-of-service.

CVE-2026-20676

Tom Van Goethem discovered that a website may be able to track
users through web extensions.

For Debian 11 bullseye, these problems have been fixed in version
2.50.6-1~deb11u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6206-1] gdk-pixbuf security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6206-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
April 11, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : gdk-pixbuf
CVE ID : CVE-2026-5201
Debian Bug : 1132501

It was discovered that gdk-pixbuf, the GDK Pixbuf library, does not
properly validate color component counts in the JPEG image loader, which
may result in the execution of arbitrary code or denial of service if
specially crafted JPEG images are processed.

For the oldstable distribution (bookworm), this problem has been fixed
in version 2.42.10+dfsg-1+deb12u4.

For the stable distribution (trixie), this problem has been fixed in
version 2.42.12+dfsg-4+deb13u1.

We recommend that you upgrade your gdk-pixbuf packages.

For the detailed security status of gdk-pixbuf please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/gdk-pixbuf

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/