[DSA 6264-1] dnsmasq security update
[DLA 4579-1] python-authlib security update
[DLA 4578-1] rails security update
[DLA 4577-1] p7zip-rar security update
[DLA 4576-1] p7zip security update
ELA-1716-1 rails security update
[SECURITY] [DSA 6264-1] dnsmasq security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6264-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 11, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : dnsmasq
CVE ID : CVE-2026-2291 CVE-2026-4890 CVE-2026-4891
CVE-2026-4892 CVE-2026-4893 CVE-2026-5172
Multiple security vulnerabilities have been discovered in Dnsmasq, a
lightweight DNS forwarder and DHCP server, which could result in cache
poisoning, bypass of security controls, denial of service or local
privilege escalation.
For the oldstable distribution (bookworm), these problems have been fixed
in version 2.90-4~deb12u2.
For the stable distribution (trixie), these problems have been fixed in
version 2.91-1+deb13u1.
We recommend that you upgrade your dnsmasq packages.
For the detailed security status of dnsmasq please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/dnsmasq
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DLA 4579-1] python-authlib security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4579-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emmanuel Arias
May 11, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : python-authlib
Version : 0.15.4-1+deb11u2
CVE ID : CVE-2026-27962 CVE-2026-28490 CVE-2026-28498
Three security vulnerabilities were discovered in python-authlib, a python
library which builds OAuth and OpenID Connect servers, that can cause
authentication bypass or information leaks.
CVE-2026-27962
Fix authentication and authorization bypass vulnerability by embedding a
crafted public key in the jwk header field when key=None is passed to JWS
deserialization functions.
CVE-2026-28490
Authlib exposed distinguishable error responses between invalid PKCS#1 v1.5
padding and invalid AES-GCM tag, enabling Bleichenbacher-style attacks.
CVE-2026-28498
Fix OIDC ID Token validation bypass in at_hash and c_hash verification.
_verify_hash() silently returned True when create_half_hash() received an
unknown algorithm, allowing forged ID
Tokens to pass validation.
For Debian 11 bullseye, these problems have been fixed in version
0.15.4-1+deb11u2.
We recommend that you upgrade your python-authlib packages.
For the detailed security status of python-authlib please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-authlib
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4578-1] rails security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4578-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sylvain Beucler
May 11, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : rails
Version : 2:6.0.3.7+dfsg-2+deb11u5
CVE ID : CVE-2022-32224
Debian Bug : 1016140
A RCE (Remote Code Execution) escalation was discovered in Ruby on
Rails, a MVC Ruby-based framework for web development.
This vulnerability exists when using YAML-serialized columns in Active
Record which could allow an attacker, who was able to manipulate data
in the database (via means like SQL injection), the ability to
escalate to an RCE.
Common and safe YAML serialization is handled in this update (support
for primary Ruby data types and Symbol, as well as newly-serialized
HashWithIndifferentAccess objects).
If your application serializes other classes as YAML, see the
following page to reference these classes in
config.active_record.yaml_column_permitted_classes, or disable
protection entirely (not recommended, at your own risks) with
config.active_record.use_yaml_unsafe_load=true.
https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017
For Debian 11 bullseye, this problem has been fixed in version
2:6.0.3.7+dfsg-2+deb11u5.
We recommend that you upgrade your rails packages.
For the detailed security status of rails please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/rails
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4577-1] p7zip-rar security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4577-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sylvain Beucler
May 11, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : p7zip-rar
Version : 16.02+really25.00+ds-0+deb11u1
CVE ID : CVE-2025-53816
Debian Bug : 1109494
Jaroslav Lobačevski from GitHub Security Lab discovered a memory
corruption vulnerability in the RAR module of p7zip, a now
unmaintained fork of 7-Zip, a file archiver handling multiple
formats. It is unlikely it could lead to arbitrary code execution, but
it may lead to denial of service.
To address this vulnerability, whose fix is unfortunately not
isolated, and to remain compatible with the new p7zip package
(DLA-4576-1), this update replaces the p7zip code base with 7-Zip v25
(which now supports GNU/Linux natively), slightly modified to make it
reasonably compatible with p7zip.
For Debian 11 bullseye, this problem has been fixed in version
16.02+really25.00+ds-0+deb11u1.
We recommend that you upgrade your p7zip-rar packages.
For the detailed security status of p7zip-rar please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/p7zip-rar
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4576-1] p7zip security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4576-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sylvain Beucler
May 11, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : p7zip
Version : 16.02+really25.01+dfsg-0+deb11u1
CVE ID : CVE-2022-47069 CVE-2023-31102 CVE-2023-40481 CVE-2023-52168
CVE-2023-52169 CVE-2024-11612 CVE-2025-11001 CVE-2025-11002
CVE-2025-53817 CVE-2025-55188
Debian Bug : 1111068
Multiple vulnerabilities were discovered in p7zip, a now unmaintained
fork of 7-Zip, a file archiver handling multiple formats.
To address these security vulnerabilities, whose fixes are
unfortunately not isolated, this update replaces p7zip with 7-Zip v25
(which now supports GNU/Linux natively), slightly modified to make it
reasonably compatible with p7zip.
CVE-2022-47069
heap-buffer-overflow vulnerability via the function
NArchive::NZip::CInArchive::FindCd
CVE-2023-31102
Ppmd7.c allows an integer underflow and invalid read operation via
a crafted 7Z archive.
CVE-2023-40481
SquashFS File Parsing Out-Of-Bounds Write RCE
CVE-2023-52168
heap-based buffer overflow in NTFS handler
CVE-2023-52169
out-of-bounds read in NTFS handler
CVE-2024-11612
CopyCoder Infinite Loop Denial-of-Service
CVE-2025-11001
ZIP File Parsing Directory Traversal RCE
CVE-2025-11002
ZIP File Parsing Directory Traversal RCE
CVE-2025-53817
null pointer dereference in the Compound handler may lead to
denial of service
CVE-2025-55188
does not always properly handle symbolic links
For Debian 11 bullseye, these problems have been fixed in version
16.02+really25.01+dfsg-0+deb11u1.
We recommend that you upgrade your p7zip packages.
For the detailed security status of p7zip please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/p7zip
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1716-1 rails security update (by )
Package : rails
Version : 2:5.2.2.1+dfsg-1+deb10u6 (buster)
Related CVEs :
CVE-2022-32224
CVE-2022-44566
CVE-2023-22792
CVE-2023-22795
CVE-2023-22796
CVE-2023-23913
CVE-2023-28120
CVE-2023-28362
CVE-2023-38037
CVE-2024-41128
CVE-2024-47887
CVE-2024-47889
CVE-2024-54133
CVE-2025-24293
CVE-2025-55193
Multiple vulnerabilities were discovered in Ruby on Rails, a MVC
Ruby-based framework for web development. An attacker may escalate to
RCE (remote code execution), launch DoS (denial-of-service) and XSS
(cross-site scripting) attacks, leak sensitive content, or pollute
terminal output.
In particular, this update addresses CVE-2022-32224 which targets
applications leveraging YAML-serialized columns in Active Record.
Common and safe YAML serialization is handled by this fix (support for
primary Ruby data types and Symbol, as well as newly-serialized
HashWithIndifferentAccess objects).
However, if your application serializes other classes as YAML, see the
following page to reference these classes in
config.active_record.yaml_column_permitted_classes, or disable
protection entirely (not recommended, at your own risks) with
config.active_record.use_yaml_unsafe_load=true.
https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017
CVE-2022-32224
A possible escalation to RCE vulnerability exists when using YAML
serialized columns in Active Record which could allow an attacker,
that can manipulate data in the database (via means like SQL
injection), the ability to escalate to an RCE.
CVE-2022-44566
A denial of service vulnerability present in ActiveRecord’s
PostgreSQL adapter. When a value outside the range for a 64bit
signed integer is provided to the PostgreSQL connection adapter,
it will treat the target column type as numeric. Comparing integer
values against numeric values can result in a slow sequential scan
resulting in potential Denial of Service.
CVE-2023-22792
A regular expression based DoS vulnerability in Action
Dispatch. Specially crafted cookies, in combination with a
specially crafted X_FORWARDED_HOST header can cause the regular
expression engine to enter a state of catastrophic backtracking.
CVE-2023-22795
A regular expression based DoS vulnerability in Action Dispatch
related to the If-None-Match header. A specially crafted HTTP
If-None-Match header can cause the regular expression engine to
enter a state of catastrophic backtracking.
CVE-2023-22796
A regular expression based DoS vulnerability in Active Support. A
specially crafted string passed to the underscore method can cause
the regular expression engine to enter a state of catastrophic
backtracking.
CVE-2023-23913
There is a potential DOM based cross-site scripting issue in
rails-ujs which leverages the Clipboard API to target HTML
elements that are assigned the contenteditable attribute. This has
the potential to occur when pasting malicious HTML content from
the clipboard that includes a data-method, data-remote or
data-disable-with attribute.
CVE-2023-28120
A vulnerability in ActiveSupport if the new bytesplice method is
called on a SafeBuffer with untrusted user input.
CVE-2023-28362
The redirect_to method in Rails allows provided values to contain
characters which are not legal in an HTTP header value. This
results in the potential for downstream services which enforce RFC
compliance on HTTP response headers to remove the assigned
Location header.
CVE-2023-38037
ActiveSupport::EncryptedFile writes contents that will be
encrypted to a temporary file. The temporary file’s permissions
are defaulted to the user’s current umask settings, meaning that
it’s possible for other users on the same system to read the
contents of the temporary file.
CVE-2024-41128
A possible ReDoS vulnerability in the query parameter filtering
routines of Action Dispatch. Carefully crafted query parameters
can cause query parameter filtering to take an unexpected amount
of time, possibly resulting in a DoS vulnerability.
CVE-2024-47887
A possible ReDoS vulnerability in Action Controller’s HTTP Token
authentication. For applications using HTTP Token authentication
via authenticate_or_request_with_http_token or similar, a
carefully crafted header may cause header parsing to take an
unexpected amount of time, possibly resulting in a DoS
vulnerability.
CVE-2024-47889
A possible ReDoS vulnerability in the block_format helper in
Action Mailer. Carefully crafted text can cause the block_format
helper to take an unexpected amount of time, possibly resulting in
a DoS vulnerability.
CVE-2024-54133
A possible Cross Site Scripting (XSS) vulnerability in the
content_security_policy helper of Action Pack. Applications
which set Content-Security-Policy (CSP) headers dynamically from
untrusted user input may be vulnerable to carefully crafted inputs
being able to inject new directives into the CSP. This could lead
to a bypass of the CSP and its protection against XSS and other
attacks.
CVE-2025-24293
Active Storage attempts to prevent the use of potentially unsafe
image transformation methods and parameters by default. The
default allowed list contains three methods allowing for the
circumvention of the safe defaults which enables potential command
injection vulnerabilities in cases where arbitrary user supplied
input is accepted as valid transformation methods or parameters.
CVE-2025-55193
In Active Record logging, the ID passed to find or similar methods
may be logged without escaping. If this is directly to the
terminal it may include unescaped ANSI sequences.ELA-1716-1 rails security update (by )
