[DLA 4661-1] jq security update
ELA-1764-1 librabbitmq security update
[DLA 4662-1] jq security update
[DLA 4663-1] node-lodash security update
ELA-1765-1 apache2 security update
[SECURITY] [DLA 4661-1] jq security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4661-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andreas Henriksson
July 01, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : jq
Version : 1.6-2.1+deb11u3
CVE ID : CVE-2026-43894 CVE-2026-47770 CVE-2026-49839 CVE-2026-54679
Debian Bug : 1136445
It was found that jq, a lightweight and flexible command-line JSON parser, was
vulnerable to multiple memory corruption attacks, which could lead to
application crashes, denial-of-service conditions, and potentially arbitrary
code execution through heap corruption when parsing untrusted input.
For Debian 11 bullseye, these problems have been fixed in version
1.6-2.1+deb11u3.
We recommend that you upgrade your jq packages.
For the detailed security status of jq please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jq
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1764-1 librabbitmq security update (by )
Package : librabbitmq
Version : 0.8.0-1+deb9u2 (stretch), 0.9.0-0.2+deb10u2 (buster)
Related CVEs :
CVE-2026-44235
CVE-2026-44236
Two issues were discovered in librabbitmq, a C-language client library used to communicate with RabbitMQ servers using the Advanced Message Queuing Protocol (AMQP).ELA-1764-1 librabbitmq security update (by )
[SECURITY] [DLA 4662-1] jq security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4662-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andreas Henriksson
July 01, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : jq
Version : 1.6-2.1+deb12u2
CVE ID : CVE-2026-32316 CVE-2026-33947 CVE-2026-33948 CVE-2026-39956
CVE-2026-39979 CVE-2026-40164 CVE-2026-41256 CVE-2026-41257
CVE-2026-43894 CVE-2026-43895 CVE-2026-43896 CVE-2026-44777
CVE-2026-47770 CVE-2026-49839 CVE-2026-54679
Debian Bug : 1133921 1136445
It was found that jq, a lightweight and flexible command-line JSON parser, was
vulnerable to multiple memory corruption attacks, which could lead to
application crashes, denial-of-service conditions, and potentially arbitrary
code execution through heap corruption when parsing untrusted input.
For Debian 12 bookworm, these problems have been fixed in version
1.6-2.1+deb12u2.
For Debian 11 bullseye, these issues have been addressed in DLA-4599-1 and
DLA-4661-1.
We recommend that you upgrade your jq packages.
For the detailed security status of jq please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jq
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4663-1] node-lodash security update
- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4663-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
July 02, 2026 https://wiki.debian.org/LTS
- -----------------------------------------------------------------------
Package : node-lodash
Version : 4.17.21+dfsg+~cs8.31.173-1+deb11u1
CVE ID : CVE-2025-13465 CVE-2026-2950 CVE-2026-4800
Debian Bug : 1126265
Several vulnerabilities were discovered in node-lodash, a Node.js
module providing utility functions for common programming tasks.
CVE-2025-13465
Prototype pollution in the _.unset and _.omit functions. A
crafted property path could be used to delete properties from
built-in prototypes (such as Object.prototype), leading to
availability and integrity issues.
CVE-2026-2950
An incomplete fix for CVE-2025-13465. The initial guard only
handled string key members and the literal "constructor.prototype"
sequence, so it could be bypassed using array-wrapped path
segments (for example [['constructor'], ['keys']]), via
constructor static methods, or from primitive roots, again allowing
deletion of properties on shared built-in prototypes.
CVE-2026-4800
Code injection in the _.template function. An incomplete fix for
CVE-2021-23337: the "variable" option was validated but the
"imports" option key names were not. Untrusted input passed as
imports key names could inject default-parameter expressions that
execute arbitrary code at template compilation time via the same
Function() constructor sink.
For Debian 11 bullseye, this problem has been fixed in version
4.17.21+dfsg+~cs8.31.173-1+deb11u1.
We recommend that you upgrade your node-lodash packages.
For the detailed security status of node-lodash please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/node-lodash
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1765-1 apache2 security update (by )
Package : apache2
Version : 2.4.25-3+deb9u25 (stretch)
Related CVEs :
CVE-2026-29167
CVE-2026-29170
CVE-2026-34355
CVE-2026-34356
CVE-2026-42535
CVE-2026-42536
CVE-2026-43951
CVE-2026-44119
CVE-2026-44185
CVE-2026-44186
CVE-2026-44631
CVE-2026-48913
Multiple vulnerabilities have been discovered in the Apache HTTP server,
which may result in remote code execution, privilege escalation, denial
of service or information disclosure.ELA-1765-1 apache2 security update (by )