Debian has released several security updates to fix vulnerabilities in various packages, including python-parsl, linux-6.1, chromium, mongo-c-driver, and gnupg2. These vulnerabilities could potentially lead to privilege escalation, denial of service, information leaks, or remote code execution (RCE). The updates have been fixed in different versions of the affected packages for Debian 9 (Stretch) ELTS, Debian 10 (Buster) ELTS, Debian 11 (Bullseye) LTS, Debian 12 (Bookworm), and Debian 13 (Trixie).

Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1610-1 gnupg2 security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4436-1] linux-6.1 security update
[DLA 4438-1] mongo-c-driver security update
[DLA 4437-1] gnupg2 security update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6100-1] chromium security update

Debian GNU/Linux 13 (Trixie):
[DSA 6099-1] python-parsl security update

[SECURITY] [DSA 6099-1] python-parsl security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6099-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 14, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : python-parsl
CVE ID : CVE-2026-21892

Viral Vaghela discovered an SQL injection vulnerability in Parsl, a
parallel scripting library for Python.

For the stable distribution (trixie), this problem has been fixed in
version 2025.01.13+ds-1+deb13u1.

We recommend that you upgrade your python-parsl packages.

For the detailed security status of python-parsl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-parsl

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4436-1] linux-6.1 security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4436-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Ben Hutchings
January 14, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : linux-6.1
Version : 6.1.159-1~deb11u1
CVE ID : CVE-2024-47666 CVE-2025-37899 CVE-2025-38057 CVE-2025-38556
CVE-2025-38593 CVE-2025-38678 CVE-2025-39805 CVE-2025-40083
CVE-2025-40211 CVE-2025-40214 CVE-2025-40248 CVE-2025-40252
CVE-2025-40253 CVE-2025-40254 CVE-2025-40257 CVE-2025-40258
CVE-2025-40259 CVE-2025-40261 CVE-2025-40262 CVE-2025-40263
CVE-2025-40264 CVE-2025-40269 CVE-2025-40271 CVE-2025-40272
CVE-2025-40273 CVE-2025-40275 CVE-2025-40277 CVE-2025-40278
CVE-2025-40279 CVE-2025-40280 CVE-2025-40281 CVE-2025-40282
CVE-2025-40283 CVE-2025-40284 CVE-2025-40285 CVE-2025-40286
CVE-2025-40288 CVE-2025-40292 CVE-2025-40293 CVE-2025-40294
CVE-2025-40297 CVE-2025-40301 CVE-2025-40304 CVE-2025-40306
CVE-2025-40308 CVE-2025-40309 CVE-2025-40312 CVE-2025-40313
CVE-2025-40314 CVE-2025-40315 CVE-2025-40317 CVE-2025-40318
CVE-2025-40319 CVE-2025-40321 CVE-2025-40322 CVE-2025-40323
CVE-2025-40324 CVE-2025-40331 CVE-2025-40341 CVE-2025-40342
CVE-2025-40343 CVE-2025-40345 CVE-2025-40360 CVE-2025-40363
CVE-2025-68168 CVE-2025-68171 CVE-2025-68173 CVE-2025-68176
CVE-2025-68177 CVE-2025-68185 CVE-2025-68191 CVE-2025-68192
CVE-2025-68194 CVE-2025-68200 CVE-2025-68204 CVE-2025-68214
CVE-2025-68217 CVE-2025-68218 CVE-2025-68220 CVE-2025-68227
CVE-2025-68229 CVE-2025-68231 CVE-2025-68233 CVE-2025-68237
CVE-2025-68238 CVE-2025-68241 CVE-2025-68244 CVE-2025-68245
CVE-2025-68246 CVE-2025-68282 CVE-2025-68283 CVE-2025-68284
CVE-2025-68285 CVE-2025-68286 CVE-2025-68287 CVE-2025-68288
CVE-2025-68289 CVE-2025-68290 CVE-2025-68295 CVE-2025-68301
CVE-2025-68302 CVE-2025-68303 CVE-2025-68307 CVE-2025-68308
CVE-2025-68310 CVE-2025-68312 CVE-2025-68321 CVE-2025-68327
CVE-2025-68328 CVE-2025-68330 CVE-2025-68331 CVE-2025-68339
CVE-2025-68343 CVE-2025-68734
Debian Bug : 919350 1106411 1114557 1119232 1120602 1120680

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

For Debian 11 bullseye, these problems have been fixed in version
6.1.159-1~deb11u1. This update also fixes several bugs reported to
Debian. It additionally includes many more bug fixes from stable
update 6.1.159.

We recommend that you upgrade your linux-6.1 packages.

For the detailed security status of linux-6.1 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/linux-6.1

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6100-1] chromium security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6100-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
January 14, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium
CVE ID : CVE-2026-0899 CVE-2026-0900 CVE-2026-0901 CVE-2026-0902
CVE-2026-0903 CVE-2026-0904 CVE-2026-0905 CVE-2026-0906
CVE-2026-0907 CVE-2026-0908

Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.

For the oldstable distribution (bookworm), these problems have been fixed
in version 144.0.7559.59-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 144.0.7559.59-1~deb13u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4438-1] mongo-c-driver security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4438-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Roberto C. Sánchez
January 14, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : mongo-c-driver
Version : 1.17.6-1+deb11u2
CVE ID : CVE-2025-12119

A vulnerability has been discovered in mongo-c-driver, the MongoDB C
client library. If large options are passed, mongoc_bulk_operation_t may
read invalid memory.

For Debian 11 bullseye, this problem has been fixed in version
1.17.6-1+deb11u2.

We recommend that you upgrade your mongo-c-driver packages.

For the detailed security status of mongo-c-driver please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mongo-c-driver

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4437-1] gnupg2 security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4437-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Roberto C. Sánchez
January 14, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : gnupg2
Version : 2.2.27-2+deb11u3
CVE ID : CVE-2025-68973
Debian Bug : 1124221

Several issues have been discovered in gnupg2, a tool for secure
communication and data storage.

CVE-2025-68973

There exist memory corruptions in the armor parsing code of GnuPG
that can be exploited to provide primitives like out of bounds
buffer read and write. This might be exploitable to the point of
remote code execution (RCE).

Additional issues:

+ Potential key signature digest algorithm downgrade.

GnuPG may downgrade the message digest algorithm to insecure SHA1
algorithm during signature checking due to reading from
uninitialized memory. This reduces the security of User ID
Certification Signatures to that of SHA1. SHA1 suffers from known
cryptographic weaknesses like chosen prefix attacks.

+ Multiple plaintext attack on detached PGP signatures.

An attacker can arbitrarily swap the plaintext shown to a GnuPG
user, when the user verifies a detached signature versus views it
with `--decrypt`. This attack allows deceiving users verifying
messages, following GnuPG usage best practices about the content
of a message signed with a detached signature. Note, that it is
possible in many scenarios to convert between signature types,
i.e., convert a different signature type to a detached signature.

+ GnuPG Accepts Path Separators and Path Traversals in Literal Data.

GnuPG accepts arbitrary file paths in the unsigned Literal Data
packet filename field and uses that value without sufficient
sanitization. In combination with tricking a user with ANSI
formatted output that changes GnuPG output with deceptive apparent
GnuPG logs, this can lead to creation or overwrite of any file on
the system the user can write to, including executable files which
the user may later execute.

For Debian 11 bullseye, these problems have been fixed in version
2.2.27-2+deb11u3.

We recommend that you upgrade your gnupg2 packages.

For the detailed security status of gnupg2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gnupg2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

ELA-1610-1 gnupg2 security update

Package : gnupg2
Version : 2.1.18-8~deb9u6 (stretch), 2.2.12-1+deb10u3 (buster)

Related CVEs :
CVE-2025-68973

Several issues have been discovered in gnupg2, a tool for secure
communication and data storage.

CVE-2025-68973
There exist memory corruptions in the armor parsing code of GnuPG
that can be exploited to provide primitives like out of bounds
buffer read and write. This might be exploitable to the point of
remote code execution (RCE).

Additional issues:
+ Potential key signature digest algorithm downgrade.

GnuPG may downgrade the message digest algorithm to insecure SHA1
algorithm during signature checking due to reading from
uninitialized memory. This reduces the security of User ID
Certification Signatures to that of SHA1. SHA1 suffers from known
cryptographic weaknesses like chosen prefix attacks.

+ Multiple plaintext attack on detached PGP signatures.

An attacker can arbitrarily swap the plaintext shown to a GnuPG
user, when the user verifies a detached signature versus views it
with `--decrypt`. This attack allows deceiving users verifying
messages, following GnuPG usage best practices about the content
of a message signed with a detached signature. Note, that it is
possible in many scenarios to convert between signature types,
i.e., convert a different signature type to a detached signature.

+ GnuPG Accepts Path Separators and Path Traversals in Literal Data.

GnuPG accepts arbitrary file paths in the unsigned Literal Data
packet filename field and uses that value without sufficient
sanitization. In combination with tricking a user with ANSI
formatted output that changes GnuPG output with deceptive apparent
GnuPG logs, this can lead to creation or overwrite of any file on
the system the user can write to, including executable files which
the user may later execute.

ELA-1610-1 gnupg2 security update