Debian 10975 Published by

Debian LTS and Freexian Extended teams released four security advisories on July 1 and 2, 2026 to patch critical flaws across jq, librabbitmq, node-lodash, and apache2. The jq updates resolve memory corruption bugs that let attackers crash programs or execute arbitrary code via heap exploitation. Administrators also need to fix prototype pollution and code injection risks in node-lodash, AMQP communication errors in librabbitmq, and several remote code execution and privilege escalation issues in apache2.

[DLA 4661-1] jq security update
ELA-1764-1 librabbitmq security update
[DLA 4662-1] jq security update
[DLA 4663-1] node-lodash security update
ELA-1765-1 apache2 security update




[SECURITY] [DLA 4661-1] jq security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-4661-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andreas Henriksson
July 01, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : jq
Version : 1.6-2.1+deb11u3
CVE ID : CVE-2026-43894 CVE-2026-47770 CVE-2026-49839 CVE-2026-54679
Debian Bug : 1136445

It was found that jq, a lightweight and flexible command-line JSON parser, was
vulnerable to multiple memory corruption attacks, which could lead to
application crashes, denial-of-service conditions, and potentially arbitrary
code execution through heap corruption when parsing untrusted input.

For Debian 11 bullseye, these problems have been fixed in version
1.6-2.1+deb11u3.

We recommend that you upgrade your jq packages.

For the detailed security status of jq please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jq

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1764-1 librabbitmq security update (by )


Package : librabbitmq


Version : 0.8.0-1+deb9u2 (stretch), 0.9.0-0.2+deb10u2 (buster)


Related CVEs :

CVE-2026-44235

CVE-2026-44236



Two issues were discovered in librabbitmq, a C-language client library used to communicate with RabbitMQ servers using the Advanced Message Queuing Protocol (AMQP).


ELA-1764-1 librabbitmq security update (by )



[SECURITY] [DLA 4662-1] jq security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-4662-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andreas Henriksson
July 01, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : jq
Version : 1.6-2.1+deb12u2
CVE ID : CVE-2026-32316 CVE-2026-33947 CVE-2026-33948 CVE-2026-39956
CVE-2026-39979 CVE-2026-40164 CVE-2026-41256 CVE-2026-41257
CVE-2026-43894 CVE-2026-43895 CVE-2026-43896 CVE-2026-44777
CVE-2026-47770 CVE-2026-49839 CVE-2026-54679
Debian Bug : 1133921 1136445

It was found that jq, a lightweight and flexible command-line JSON parser, was
vulnerable to multiple memory corruption attacks, which could lead to
application crashes, denial-of-service conditions, and potentially arbitrary
code execution through heap corruption when parsing untrusted input.

For Debian 12 bookworm, these problems have been fixed in version
1.6-2.1+deb12u2.

For Debian 11 bullseye, these issues have been addressed in DLA-4599-1 and
DLA-4661-1.

We recommend that you upgrade your jq packages.

For the detailed security status of jq please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jq

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 4663-1] node-lodash security update


- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4663-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
July 02, 2026 https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package : node-lodash
Version : 4.17.21+dfsg+~cs8.31.173-1+deb11u1
CVE ID : CVE-2025-13465 CVE-2026-2950 CVE-2026-4800
Debian Bug : 1126265

Several vulnerabilities were discovered in node-lodash, a Node.js
module providing utility functions for common programming tasks.

CVE-2025-13465

Prototype pollution in the _.unset and _.omit functions. A
crafted property path could be used to delete properties from
built-in prototypes (such as Object.prototype), leading to
availability and integrity issues.

CVE-2026-2950

An incomplete fix for CVE-2025-13465. The initial guard only
handled string key members and the literal "constructor.prototype"
sequence, so it could be bypassed using array-wrapped path
segments (for example [['constructor'], ['keys']]), via
constructor static methods, or from primitive roots, again allowing
deletion of properties on shared built-in prototypes.

CVE-2026-4800

Code injection in the _.template function. An incomplete fix for
CVE-2021-23337: the "variable" option was validated but the
"imports" option key names were not. Untrusted input passed as
imports key names could inject default-parameter expressions that
execute arbitrary code at template compilation time via the same
Function() constructor sink.

For Debian 11 bullseye, this problem has been fixed in version
4.17.21+dfsg+~cs8.31.173-1+deb11u1.

We recommend that you upgrade your node-lodash packages.

For the detailed security status of node-lodash please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/node-lodash

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1765-1 apache2 security update (by )


Package : apache2


Version : 2.4.25-3+deb9u25 (stretch)


Related CVEs :

CVE-2026-29167

CVE-2026-29170

CVE-2026-34355

CVE-2026-34356

CVE-2026-42535

CVE-2026-42536

CVE-2026-43951

CVE-2026-44119

CVE-2026-44185

CVE-2026-44186

CVE-2026-44631

CVE-2026-48913



Multiple vulnerabilities have been discovered in the Apache HTTP server,
which may result in remote code execution, privilege escalation, denial
of service or information disclosure.


ELA-1765-1 apache2 security update (by )