Debian administrators should patch corosync immediately since two cluster engine flaws could leak memory or crash services on both oldstable and stable releases. Tor also demands an urgent upgrade because six separate bugs might allow attackers to disrupt its anonymous routing capabilities across all supported distributions. Meanwhile developers resolved a dangerous memory corruption error in libpng that compromises PNG file processing, so users must apply the new package versions without delay. System administrators should also update lcms2 right away since two integer overflows in its color management library could destabilize graphics applications, and delaying this patch leaves networks exposed.

[DSA 6261-1] corosync security update
[DSA 6260-1] tor security update
[DSA 6263-1] libpng1.6 security update
[DSA 6262-1] lcms2 security update

[SECURITY] [DSA 6261-1] corosync security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6261-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 10, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : corosync
CVE ID : CVE-2026-35091 CVE-2026-35092

Two security vulnerabilities were discovered in the Corosync cluster
engine, which could result in denial of service or memory disclosure.

For the oldstable distribution (bookworm), these problems have been fixed
in version 3.1.7-1+deb12u2.

For the stable distribution (trixie), these problems have been fixed in
version 3.1.9-2+deb13u1.

We recommend that you upgrade your corosync packages.

For the detailed security status of corosync please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/corosync

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6260-1] tor security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6260-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 10, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : tor
CVE ID : CVE-2026-44597 CVE-2026-44599 CVE-2026-44600
CVE-2026-44601 CVE-2026-44602 CVE-2026-44603

Multiple security vulnerabilities were discovered in Tor, a connection-
based low-latency anonymous communication system, which could result in
denial of service.

For the oldstable distribution (bookworm), these problems have been fixed
in version 0.4.9.8-0+deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 0.4.9.8-0+deb13u1.

We recommend that you upgrade your tor packages.

For the detailed security status of tor please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tor

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6263-1] libpng1.6 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6263-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 10, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libpng1.6
CVE ID : CVE-2026-34757

A use-after-free was discovered in libpng, a library implementing an
interface for reading and writing PNG (Portable Network Graphics) files.

For the oldstable distribution (bookworm), this problem has been fixed
in version 1.6.39-2+deb12u5.

For the stable distribution (trixie), this problem has been fixed in
version 1.6.48-1+deb13u5.

We recommend that you upgrade your libpng1.6 packages.

For the detailed security status of libpng1.6 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libpng1.6

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6262-1] lcms2 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6262-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 10, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : lcms2
CVE ID : CVE-2026-41254 CVE-2026-42798

Two integer overflows were discovered in the LittleCMS 2 colour
management library.

For the oldstable distribution (bookworm), this problem has been fixed
in version 2.14-2+deb12u1.

For the stable distribution (trixie), this problem has been fixed in
version 2.16-2+deb13u2.

We recommend that you upgrade your lcms2 packages.

For the detailed security status of lcms2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/lcms2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/