Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended:
ELA-1669-1 gst-plugins-base1.0 security update
ELA-1670-1 gst-plugins-ugly1.0 security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4514-1] gst-plugins-base1.0 security update
[DLA 4516-1] gst-plugins-ugly1.0 security update
Debian GNU/Linux 12 (Stretch) and 13 (Trixie):
[DSA 6187-1] php-phpseclib3 security update
[DSA 6186-1] php-phpseclib security update
[DSA 6185-1] phpseclib security update
Debian GNU/Linux 13 (Trixie):
[DSA 6184-1] incus security update
[DSA 6183-1] nodejs security update
[SECURITY] [DLA 4514-1] gst-plugins-base1.0 security update
- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4514-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
March 29, 2026 https://wiki.debian.org/LTS
- -----------------------------------------------------------------------
Package : gst-plugins-base1.0
Version : 1.18.4-2+deb11u5
CVE ID : CVE-2026-2921
An integer overflow was discovered in the RIFF parser of the GStreamer
media framework, which may result in denial of service or potentially the
execution of arbitrary code if a malformed media file is opened.
For Debian 11 bullseye, this problem has been fixed in version
1.18.4-2+deb11u5.
We recommend that you upgrade your gst-plugins-base1.0 packages.
For the detailed security status of gst-plugins-base1.0 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gst-plugins-base1.0
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1669-1 gst-plugins-base1.0 security update
Package : gst-plugins-base1.0
Version : 1.10.4-1+deb9u7 (stretch), 1.14.4-2+deb10u6 (buster)
Related CVEs :
CVE-2026-2921
An integer overflow was discovered in the RIFF parser of the GStreamer
media framework, which may result in denial of service or potentially the
execution of arbitrary code if a malformed media file is opened.ELA-1669-1 gst-plugins-base1.0 security update
[SECURITY] [DSA 6184-1] incus security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6184-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 29, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : incus
CVE ID : CVE-2026-28384 CVE-2026-33542 CVE-2026-33743
Multiple security issues were discovered in Incus, a system container
and virtual machine manager, which could result in denial of service
or the execution of arbitrary commands.
For the stable distribution (trixie), these problems have been fixed in
version 6.0.4-2+deb13u5.
We recommend that you upgrade your incus packages.
For the detailed security status of incus please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/incus
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 6183-1] nodejs security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6183-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 29, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : nodejs
CVE ID : CVE-2026-21637 CVE-2026-21710 CVE-2026-21713 CVE-2026-21714
CVE-2026-21715 CVE-2026-21716 CVE-2026-21717
Multiple vulnerabilities were discovered in Node.js, which could result
in denial of service, side channel attacks or information disclosure.
For the stable distribution (trixie), these problems have been fixed in
version 20.19.2+dfsg-1+deb13u2.
We recommend that you upgrade your nodejs packages.
For the detailed security status of nodejs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nodejs
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DLA 4516-1] gst-plugins-ugly1.0 security update
- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4516-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
March 30, 2026 https://wiki.debian.org/LTS
- -----------------------------------------------------------------------
Package : gst-plugins-ugly1.0
Version : 1.18.4-2+deb11u2
CVE ID : CVE-2026-2920 CVE-2026-2922
Two vulnerabilities were discovered in gst-plugins-ugly1.0, a set of
GStreamer plugins from the "ugly" set.
CVE-2026-2920
The ASF demuxer did not validate the number of streams against
the size of its static streams array. A crafted ASF file with
more than 32 streams could cause a heap-based buffer overflow
and potentially allow code execution.
CVE-2026-2922
The RealMedia demuxer checked for too many video fragments after
writing to the fragment storage, allowing an out-of-bounds write.
Additionally, an integer overflow in the fragment size check could
bypass the available data validation.
For Debian 11 bullseye, these problems have been fixed in version
1.18.4-2+deb11u2.
We recommend that you upgrade your gst-plugins-ugly1.0 packages.
For the detailed security status of gst-plugins-ugly1.0 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gst-plugins-ugly1.0
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 6187-1] php-phpseclib3 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6187-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 29, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : php-phpseclib3
CVE ID : CVE-2026-32935
It was discovered that the AES-CBC implementation in the PHP Secure
Communications Library was susceptible to a padding oracle timing attack.
For the oldstable distribution (bookworm), these problems have been fixed
in version 3.0.19-1+deb12u4. This update also fixes CVE-2023-52892.
For the stable distribution (trixie), these problems have been fixed in
version 3.0.43-2+deb13u1.
We recommend that you upgrade your php-phpseclib3 packages.
For the detailed security status of php-phpseclib3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php-phpseclib3
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 6186-1] php-phpseclib security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6186-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 29, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : php-phpseclib
CVE ID : CVE-2026-32935
It was discovered that the AES-CBC implementation in the PHP Secure
Communications Library was susceptible to a padding oracle timing attack.
For the oldstable distribution (bookworm), these problems have been fixed
in version 2.0.42-1+deb12u3. This update also fixes CVE-2023-52892.
For the stable distribution (trixie), these problems have been fixed in
version 2.0.48-3+deb13u1.
We recommend that you upgrade your php-phpseclib packages.
For the detailed security status of php-phpseclib please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php-phpseclib
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 6185-1] phpseclib security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6185-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 29, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : phpseclib
CVE ID : CVE-2026-32935
It was discovered that the AES-CBC implementation in the PHP Secure
Communications Library was susceptible to a padding oracle timing attack.
For the oldstable distribution (bookworm), these problems have been fixed
in version 1.0.20-1+deb12u3. This update also fixes CVE-2023-52892.
For the stable distribution (trixie), these problems have been fixed in
version 1.0.23-6+deb13u1.
We recommend that you upgrade your phpseclib packages.
For the detailed security status of phpseclib please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/phpseclib
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
ELA-1670-1 gst-plugins-ugly1.0 security update
Package : gst-plugins-ugly1.0
Version : 1.10.4-1+deb9u3 (stretch), 1.14.4-1+deb10u3 (buster)
Related CVEs :
CVE-2026-2920
CVE-2026-2922
Two vulnerabilities were discovered in gst-plugins-ugly1.0, a set of
GStreamer plugins from the “ugly” set.
CVE-2026-2920
The ASF demuxer did not validate the number of streams against
the size of its static streams array. A crafted ASF file with
more than 32 streams could cause a heap-based buffer overflow
and potentially allow code execution.
CVE-2026-2922
The RealMedia demuxer checked for too many video fragments after
writing to the fragment storage, allowing an out-of-bounds write.
Additionally, an integer overflow in the fragment size check could
bypass the available data validation.ELA-1670-1 gst-plugins-ugly1.0 security update
