Debian shipped critical updates for gst-plugins-bad1.0, python-urllib3, ImageMagick, u-boot, and beets across trixie, bullseye, and bookworm. The gst-plugins patch squashes three CVEs including CVE-2026-52718 and CVE-2026-53701 that let corrupted media trigger crashes, while the urllib3 update plugs that cross-origin redirect leak that’s arguably slipped past developers for months.

[DSA 6362-1] gst-plugins-bad1.0 security update
[DSA 6363-1] python-urllib3 security update
[DLA 4643-1] imagemagick security update
[DLA 4642-1] u-boot security update
[DLA 4641-1] beets security update

[SECURITY] [DSA 6362-1] gst-plugins-bad1.0 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6362-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 23, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : gst-plugins-bad1.0
CVE ID : CVE-2026-52718 CVE-2026-52719 CVE-2026-53701

Multiple security vulnerabilities were discovered in plugins for
the GStreamer media framework and its codecs and demuxers, which
may result in denial of service or potentially the execution of
arbitrary code if a malformed media file is opened.

For the stable distribution (trixie), these problems have been fixed in
version 1.26.2-3+deb13u2.

We recommend that you upgrade your gst-plugins-bad1.0 packages.

For the detailed security status of gst-plugins-bad1.0 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gst-plugins-bad1.0

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6363-1] python-urllib3 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6363-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 23, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : python-urllib3
CVE ID : CVE-2026-44431

It was discovered that the urllib3 Python HTTP library didn't sanitise
some cross-origin redirects, which could result in information
disclosure.

For the stable distribution (trixie), this problem has been fixed in
version 2.3.0-3+deb13u2.

We recommend that you upgrade your python-urllib3 packages.

For the detailed security status of python-urllib3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-urllib3

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4643-1] imagemagick security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4643-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
June 23, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : imagemagick
Version : 8:6.9.11.60+dfsg-1.3+deb11u14 8:6.9.11.60+dfsg-1.6+deb12u11
CVE ID : CVE-2026-48733 CVE-2026-48734 CVE-2026-48994 CVE-2026-49218
CVE-2026-53460 CVE-2026-53463
Debian Bug : 1140176

Multiple security vulnerabilities were discovered in imagemagick, a
software suite used for editing and manipulating digital images, which
could lead to denial of service, information disclosure or potentially
arbitrary code execution if malformed images are processed.

For Debian 11 bullseye, these problems have been fixed in version
8:6.9.11.60+dfsg-1.3+deb11u14.

For Debian 12 bookworm, these problems have been fixed in version
8:6.9.11.60+dfsg-1.6+deb12u11.

We recommend that you upgrade your imagemagick packages.

For the detailed security status of imagemagick please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/imagemagick

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4642-1] u-boot security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4642-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andreas Henriksson
June 23, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : u-boot
Version : 2021.01+dfsg-5+deb11u3 2023.01+dfsg-2+deb12u3
CVE ID : CVE-2024-42040 CVE-2026-46728
Debian Bug : 1081557 1136954

Multiple issues where found in u-boot, a cross-platform bootloader for
embedded systems, which could lead to information leak and signature
verification bypass.

CVE-2024-42040

buffer overread vulnerability in the DHCP implementation

CVE-2026-46728

mishandles use of unit addresses in a FIT

For Debian 11 bullseye, these problems have been fixed in version
2021.01+dfsg-5+deb11u3.

For Debian 12 bookworm, these problems have been fixed in version
2023.01+dfsg-2+deb12u3.

We recommend that you upgrade your u-boot packages.

For the detailed security status of u-boot please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/u-boot

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4641-1] beets security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4641-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emmanuel Arias
June 23, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : beets
Version : 1.4.9-7+deb11u1
CVE ID : CVE-2026-42052
Debian Bug : 1135779

It was discovered that beets, a media library management system, is
vulnerable to run arbitrary JavaScript code in the victim browser,
exfiltrate viewable data, and perform UI-driven actions as the victim
session.

For Debian 11 bullseye, this problem has been fixed in version
1.4.9-7+deb11u1.

We recommend that you upgrade your beets packages.

For the detailed security status of beets please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/beets

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS