Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1619-1 inetutils security update
ELA-1621-1 taglib security update
ELA-1620-1 zvbi security update
Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1622-1 php7.3 security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4454-1] libuev security update
[DLA 4455-1] python3.9 security update
Debian GNU/Linux 12 (Bookworm):
[DSA 6110-1] openjdk-17 security update
ELA-1619-1 inetutils security update
Package : inetutils
Version : 1.9.4-2+deb9u4 (stretch), 2:1.9.4-7+deb10u4 (buster)
Related CVEs :
CVE-2026-24061
Kyu Neushwaistein aka Carlos Cortes Alvarez found that inetutils,
a collection of common network programs, was vulnerable to an authentication
bypass problem in telnetd, which could lead to remote root shell access (if
telnetd is enabled and exposed).
As described also in the GNU InetUtils security advisory, it is not
recommended to run telnetd server at all. At a minimum, restrict network
access to the telnet port to trusted clients only. There is after all no
encryption built into the telnet protocol, so authentication details would
be sent in plain text over the network (which thus needs to be trusted).
For more details see the GNU InetUtils Security Advisory:
https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.htmlELA-1619-1 inetutils security update
[SECURITY] [DSA 6110-1] openjdk-17 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6110-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 25, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : openjdk-17
CVE ID : CVE-2026-21925 CVE-2026-21932 CVE-2026-21933
CVE-2026-21945
Several vulnerabilities have been discovered in the OpenJDK Java
runtime, which may result in incorrect certificate validation,
CRLF injection or man-in-the-middle attacks.
For the oldstable distribution (bookworm), these problems have been fixed
in version 17.0.18+8-1~deb12u1.
We recommend that you upgrade your openjdk-17 packages.
For the detailed security status of openjdk-17 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-17
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DLA 4454-1] libuev security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4454-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
January 25, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : libuev
Version : 2.3.1-1+deb11u1
CVE ID : CVE-2022-48620
An issue has been found in libuev, a lightweight event loop library for
Linux. The issue is related to a possible buffer overrun in uev_run().
For Debian 11 bullseye, this problem has been fixed in version
2.3.1-1+deb11u1.
We recommend that you upgrade your libuev packages.
For the detailed security status of libuev please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libuev
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1622-1 php7.3 security update
Package : php7.3
Version : 7.3.31-1~deb10u12 (buster)
Related CVEs :
CVE-2025-14178
Security issues were found in PHP, a widely-used open source general
purpose scripting language, which could result in server side request
forgery or denial of service.
CVE-2025-14178
Heap buffer overflow in array_merge().
GHSA-www2-q4fc-65wf
dns_get_record() and other DNS functions don’t have any null contain
check, which may lead to SSRF or unexpected behavior. While this
has a (low) security impact, no CVE ID was assigned for this
vulnerability yet.
ELA-1622-1 php7.3 security update
ELA-1621-1 taglib security update
Package : taglib
Version : 1.11.1+dfsg.1-0.3+deb9u2 (stretch), 1.11.1+dfsg.1-0.3+deb10u2 (buster)
Related CVEs :
CVE-2023-47466
An issues has been found in taglib, an audio meta-data library.
The issue is related to a segmentation violation and a resulting application crash due to processing a crafted WAV file in which an id3 chunk is the only valid chunk.ELA-1621-1 taglib security update
ELA-1620-1 zvbi security update
Package : zvbi
Version : 0.2.35-13+deb9u1 (stretch), 0.2.35-16+deb10u1 (buster)
Related CVEs :
CVE-2025-2173
CVE-2025-2174
CVE-2025-2175
CVE-2025-2176
CVE-2025-2177
Several issues have been found in zvbi, a Vertical Blanking Interval decoder.
CVE-2025-2173 is related to an uninitialized pointer in src/conv.c:: vbi_strndup_iconv_ucs2()
The other issues are related to integer overflows in several functions distributed all over the code.ELA-1620-1 zvbi security update
[SECURITY] [DLA 4455-1] python3.9 security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4455-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andrej Shadura
January 25, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : python3.9
Version : 3.9.2-1+deb11u5
CVE ID : CVE-2025-11468 CVE-2025-12084 CVE-2025-15282 CVE-2025-15366
CVE-2025-15367 CVE-2026-0672 CVE-2026-0865 CVE-2026-1299
This upload fixes a regression introduced in 3.9.2-1+deb11u4 (DLA 4445-1),
and also fixes multiple security issues in cPython 3.9.
CVE-2025-12084
When building nested elements using xml.dom.minidom methods such
as appendChild() that have a dependency on _clear_id_cache() the
algorithm was quadratic. Availability could be impacted when building
excessively nested documents.
The fix for this CVE in the previous upload resulted in a regression
in software relying on ownerDocument attribute being always present
in Element instances. This regression has now been fixed.
CVE-2026-0672, CVE-2026-0865, CVE-2025-15282, CVE-2025-15366, CVE-2025-15367
These are all similar vulnerabilities in the following modules:
http.cookies, wsgiref.headers, imaplib, poplib, urllib. In each of
these control characters were handled incorrectly, allowing injection
of additional cookiers, headers or commands. Control characters are
now rejected in these contexts.
CVE-2025-11468
An issue similar to the above. Comments consisting of a very long
sequence of non-foldable characters could trigger a forced line wrap
that omitted the required leading space on the continuation line,
causing the remainder of the comment to be interpreted as a new
header field.
CVE-2026-1299
Another header injection issue: email module allowed header injection in the
BytesGenerator class. BytesGenerator will now refuse to serialize headers
that are unsafely folded or delimited.
For Debian 11 bullseye, these problems have been fixed in version
3.9.2-1+deb11u5.
We recommend that you upgrade your python3.9 packages.
For the detailed security status of python3.9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python3.9
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
