Debian released a batch of security advisories to patch critical flaws across four widely used packages. The dnsmasq update addresses multiple heap overflow and DNSSEC validation bugs that could allow attackers to inject false cache entries or trigger denial of service attacks. strongSwan patches a double free flaw that could crash the daemon. Chromium and Jackson-core also need urgent updates to stop arbitrary code execution and crash attacks, so system owners must deploy these patches immediately.

[DLA 4625-1] dnsmasq security update
[DSA 6330-1] strongswan security update
[DSA 6337-1] chromium security update
[DSA 6336-1] jackson-core security update

[SECURITY] [DLA 4625-1] dnsmasq security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4625-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Arnaud Rebillout
June 10, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : dnsmasq
Version : 2.85-1+deb11u2
CVE ID : CVE-2026-2291 CVE-2026-4890 CVE-2026-4891 CVE-2026-4892
CVE-2026-4893

Several vulnerabilities have been discovered in dnsmasq, a caching DNS
proxy and DHCP/TFTP server.

CVE-2026-2291

dnsmasqs extract_name() function can be abused to cause a heap buffer
overflow, allowing an attacker to inject false DNS cache entries,
which could result in DNS lookups to redirect to an
attacker-controlled IP address, or to cause a DoS.

CVE-2026-4890

A Denial of Service (DoS) vulnerability in the DNSSEC validation of
dnsmasq allows remote attackers to cause a denial of service via a
crafted DNS packet.

CVE-2026-4891

A heap-based out-of-bounds read vulnerability in the DNSSEC validation
of dnsmasq allows remote attackers to cause a denial of service via a
crafted DNS packet.

CVE-2026-4892

A heap-based out-of-bounds write vulnerability in the DHCPv6
implementation of dnsmasq allows local attackers to execute arbitrary
code with root privileges via a crafted DHCPv6 packet.

CVE-2026-4893

An information disclosure vulnerability in dnsmasq allows remote
attackers to bypass source checks via a crafted DNS packet with RFC
7871 client subnet information.

For Debian 11 bullseye, these problems have been fixed in version
2.85-1+deb11u2.

We recommend that you upgrade your dnsmasq packages.

For the detailed security status of dnsmasq please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/dnsmasq

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6330-1] strongswan security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6330-1 security@debian.org
https://www.debian.org/security/ Yves-Alexis Perez
June 08, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : strongswan
CVE ID : CVE-2026-47895
Debian Bug :

Elliott Childre identified a vulnerability in strongSwan, an IKE/IPsec suite.
The bug happens when cloning certain identities and can lead to a double-free,
a daemon crash (leading to denial of service) and potentially remote code
execution.

Upstream lists several mitigations:
- - Servers that don't use EAP or XAuth authentication are not vulnerable to
remote attacks.
- - Servers that use EAP authentication but delegate it to a RADIUS server and
don't request an EAP-Identity themselves are not vulnerable either. However,
note that the `eap-radius` plugin parses `Class` and `Filter-Id` attributes
as group identities if enabled, in which case a rogue RADIUS server is able
to trigger the issue.
- - Servers that use IKEv1 with XAuth are not vulnerable unless they use the
`xauth-eap` plugin.

For the oldstable distribution (bookworm), this problem has been fixed
in version 5.9.8-5+deb12u5.

For the stable distribution (trixie), this problem has been fixed in
version 6.0.1-6+deb13u6.

We recommend that you upgrade your strongswan packages.

For the detailed security status of strongswan please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/strongswan

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6337-1] chromium security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6337-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
June 10, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium
CVE ID : CVE-2026-11628 CVE-2026-11629 CVE-2026-11630 CVE-2026-11631
CVE-2026-11632 CVE-2026-11633 CVE-2026-11634 CVE-2026-11635
CVE-2026-11636 CVE-2026-11637 CVE-2026-11638 CVE-2026-11639
CVE-2026-11640 CVE-2026-11641 CVE-2026-11642 CVE-2026-11643
CVE-2026-11644 CVE-2026-11645 CVE-2026-11646 CVE-2026-11647
CVE-2026-11648 CVE-2026-11649 CVE-2026-11650 CVE-2026-11651
CVE-2026-11652 CVE-2026-11653 CVE-2026-11654 CVE-2026-11655
CVE-2026-11656 CVE-2026-11657 CVE-2026-11658 CVE-2026-11659
CVE-2026-11660 CVE-2026-11661 CVE-2026-11662 CVE-2026-11663
CVE-2026-11664 CVE-2026-11665 CVE-2026-11666 CVE-2026-11667
CVE-2026-11668 CVE-2026-11669 CVE-2026-11670 CVE-2026-11671
CVE-2026-11672 CVE-2026-11673 CVE-2026-11674 CVE-2026-11675
CVE-2026-11676 CVE-2026-11677 CVE-2026-11678 CVE-2026-11679
CVE-2026-11680 CVE-2026-11681 CVE-2026-11682 CVE-2026-11683
CVE-2026-11684 CVE-2026-11685 CVE-2026-11686 CVE-2026-11687
CVE-2026-11688 CVE-2026-11689 CVE-2026-11690 CVE-2026-11691
CVE-2026-11692 CVE-2026-11693 CVE-2026-11694 CVE-2026-11695
CVE-2026-11696 CVE-2026-11697 CVE-2026-11698 CVE-2026-11699
CVE-2026-11700 CVE-2026-11701

Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.

For the oldstable distribution (bookworm), these problems have been fixed
in version 149.0.7827.102-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 149.0.7827.102-1~deb13u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6336-1] jackson-core security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6336-1 security@debian.org
https://www.debian.org/security/ Markus Koschany
June 10, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : jackson-core
CVE ID : CVE-2025-52999
Debian Bug : 1108367

A flaw was discovered in jackson-core, a fast and powerful JSON library for
Java, which may allow an attacker to cause a denial of service by using deeply
nested JSON data.

Please note that related and complementary jackson-* packages like jackson-
databind or jackson-dataformat-smile had to be upgraded as well in
order to fix build failures caused by the changes to jackson-core.

For the oldstable distribution (bookworm), this problem has been fixed
in version 2.14.1-2~deb12u1.

For the stable distribution (trixie), this problem has been fixed in
version 2.14.1-2~deb13u1.

We recommend that you upgrade your jackson-core packages.

For the detailed security status of jackson-core please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jackson-core

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/