Debian administrators must upgrade Dovecot, Request Tracker5, Apache2, and Tomcat9 to address a wave of critical vulnerabilities. These security advisories patch dangerous flaws ranging from denial of service crashes and path traversal errors to authentication bypasses and cross site scripting risks. Each package requires specific version updates tailored to either the oldstable or stable Debian releases, with some upgrades also demanding compatible native library revisions. System operators should verify their current configurations before applying these patches to ensure uninterrupted service across all affected components.

ELA-1751-1 dovecot security update
[DSA 6324-1] request-tracker5 security update
[DSA 6323-1] apache2 security update
[DLA 4619-1] tomcat9 security update

ELA-1751-1 dovecot security update (by )

Package : dovecot

Version : 1:2.3.4.1-5+deb10u9 (buster)

Related CVEs :
CVE-2025-59031
CVE-2025-59032
CVE-2026-0394
CVE-2026-27856
CVE-2026-27857
CVE-2026-27858
CVE-2026-27859
CVE-2026-33603
CVE-2026-40020

Multiple vulnerabilities were discovered in dovecot, a POP3/IMAP server,
which could lead to Denial of Service, information leak, path traversal,
authentication bypass or timing side channel attacks.

CVE-2025-59031

The decode2text.sh example script, which was installed into
dovecot-core/examples, was found handle zip-style attachment in an
unsafe manner. In particular, OOXML extraction may follow symlinks
and read unintended files during indexing. The script is no longer
installed.

CVE-2025-59032

It was found that the ManageSieve AUTHENTICATE command crashes the
ManageSieve service when using literal as SASL initial response,
leading to Denial of Service.

CVE-2026-0394

A pass traversal vulnerability was discovered in the passwd-file
passdb/userdb when dovecot has been configured to use per-domain
passwd files, allowing inadvertently reading /etc/passwd in some
situations. If this file contains passwords, it can be used to
authenticate wrongly, or if this is userdb, it can incorrectly make
system users appear valid users.

CVE-2026-27856

Doveadm credentials were not checked using timing-safe checking
functions. An attacker can exploit this issue to discover configured
credentials, leading into full access to the affected component.

CVE-2026-27857

It was discovered that sending excessive parenthesis caused the
imap-login process to use excessive memory, leading to Denial of
Service.

CVE-2026-27858

It was discovered that the managesieve-login process could allocate
large amount of memory during authentication via specifically crafted
message, leading to Denial of Service.

CVE-2026-27859

It was discovered that excessive RFC 2231 MIME parameters in email
would cause excessive CPU usage, which could lead to Denial of
Service. Dovecot now limits the number of parameters to process.

CVE-2026-33603

An attacker can use a specially crafted base64 exchange between
Dovecot and Client to fake SCRAM TLS channel binding and later
eavesdrop communications between Dovecot and client as MITM proxy.

CVE-2026-40020

An attacker can use the IMAP SETACL command to inject the anyone
permission to user’s dovecot-acl file even if
imap_acl_allow_anyone=no, thereby allowing folders to be spammed
to all users. (The impact was limited to being able to spam folders
to other users. No unexpected access is gained.)

ELA-1751-1 dovecot security update (by )

[SECURITY] [DSA 6324-1] request-tracker5 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6324-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 06, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : request-tracker5
CVE ID : CVE-2026-6841 CVE-2026-41073 CVE-2026-41075 CVE-2026-41076
CVE-2026-44229 CVE-2026-44230 CVE-2026-44231

Multiple vulnerabilities have been discovered in Request Tracker, an
extensible trouble-ticket tracking system, which could result privilege
escalation, information disclosure, SQL injections, LDAP authentication
bypass, cross-site scripting or spreadsheet (CSV/formula) injection.

For the oldstable distribution (bookworm), these problems have been fixed
in version 5.0.3+dfsg-3~deb12u6.

For the stable distribution (trixie), these problems have been fixed in
version 5.0.7+dfsg-4+deb13u3.

We recommend that you upgrade your request-tracker5 packages.

For the detailed security status of request-tracker5 please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/request-tracker5

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6323-1] apache2 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6323-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 06, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : apache2
CVE ID : CVE-2026-49975
Debian Bug : 1138750

It was discovered that incorrect cookie header accounting in the HTTP/2
implementation of the Apache HTTP server may result in denial of service
(excessive resources consumption).

For the oldstable distribution (bookworm), this problem has been fixed
in version 2.4.67-1~deb12u3.

For the stable distribution (trixie), this problem has been fixed in
version 2.4.67-1~deb13u3.

We recommend that you upgrade your apache2 packages.

For the detailed security status of apache2 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/apache2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4619-1] tomcat9 security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4619-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
June 07, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : tomcat9
Version : 9.0.118-0+deb11u1
CVE ID : CVE-2026-24880 CVE-2026-25854 CVE-2026-29129 CVE-2026-29145
CVE-2026-29146 CVE-2026-32990 CVE-2026-34483 CVE-2026-34487
CVE-2026-34500 CVE-2026-41284 CVE-2026-41293 CVE-2026-42498
CVE-2026-43512 CVE-2026-43513 CVE-2026-43514 CVE-2026-43515

Multiple security vulnerabilities have been discovered in Tomcat 9, a Java
based web server, servlet and JSP engine which may result in a denial of
service, authentication bypass or the disclosure of sensitive information.

In order to address certain vulnerabilities and restore the compatibility with
Tomcat 9, an upgrade of the Tomcat native library, libtcnative-1, was required
as well.

Although we are not aware of any problems, new upstream versions may introduce
new options, limits or code changes which may or may not affect your existing
web applications. We recommend to consult the Tomcat 9 documentation for
further information.

For Debian 11 bullseye, these problems have been fixed in version
9.0.118-0+deb11u1.

We recommend that you upgrade your tomcat9 packages.

For the detailed security status of tomcat9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tomcat9

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS