Debian has released several security updates to address vulnerabilities in various packages. The first update, DSA-6106-1, fixes a flaw in inetutils that allows remote attackers to log in as root by bypassing normal authentication processes. Another update, DSA-6108-1, addresses a security issue in Chromium that could result in arbitrary code execution, denial of service, or information disclosure. Additionally, updates have been released for python-urllib3 and bind9 to correct regressions and vulnerabilities in these packages.

[DSA 6106-1] inetutils security update
[DSA 6108-1] chromium security update
[DSA 6102-2] python-urllib3 regression update
[DSA 6107-1] bind9 security update

[SECURITY] [DSA 6106-1] inetutils security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6106-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 22, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : inetutils
CVE ID : CVE-2026-24061
Debian Bug : 1126047

Kyu Neushwaistein discovered that telnetd from inetutils does not
sanitize the USER environment variable before passing it on to login. A
remote attacker can take advantage of this flaw to login as root,
bypassing normal authentication processes.

For the oldstable distribution (bookworm), this problem has been fixed
in version 2:2.4-2+deb12u2.

For the stable distribution (trixie), this problem has been fixed in
version 2:2.6-3+deb13u1.

We recommend that you upgrade your inetutils packages.

For the detailed security status of inetutils please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/inetutils

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6108-1] chromium security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6108-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
January 22, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium
CVE ID : CVE-2026-1220

A security issue was discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.

For the oldstable distribution (bookworm), this problem has been fixed
in version 144.0.7559.96-1~deb12u1.

For the stable distribution (trixie), this problem has been fixed in
version 144.0.7559.96-1~deb13u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6102-2] python-urllib3 regression update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6102-2 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 22, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : python-urllib3
CVE ID : CVE-2026-21441
Debian Bug : 1126002

The update for python-urllib3 announced in DSA 6102-1 introduced a
regression in the patch meant to address CVE-2026-21441 for the
oldstable distribution (bookworm). Updated packages are now available to
correct this issue.

For the oldstable distribution (bookworm), this problem has been fixed
in version 1.26.12-1+deb12u3.

We recommend that you upgrade your python-urllib3 packages.

For the detailed security status of python-urllib3 please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/python-urllib3

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6107-1] bind9 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6107-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 22, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : bind9
CVE ID : CVE-2025-13878

Vlatko Kosturjak discovered that BIND, a DNS server implementation, does
not properly handle malformed BRID/HHIT records, which may result in
denial of service (named daemon crash).

For the oldstable distribution (bookworm), this problem has been fixed
in version 1:9.18.44-1~deb12u1.

For the stable distribution (trixie), this problem has been fixed in
version 1:9.20.18-1~deb13u1.

We recommend that you upgrade your bind9 packages.

For the detailed security status of bind9 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/bind9

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/