Debian has released security patches for libhtml-parser-perl, LXD, and Tor across multiple distribution branches. The libhtml-parser-perl update resolves CVE-2026-8829, which allows an attacker to read freed heap memory through the _decode_entities() function. LXD receives fixes for twelve separate vulnerabilities that could otherwise let attackers bypass container restrictions or run unauthorized commands. Tor updates address undisclosed denial of service flaws for Debian stretch, buster, bookworm, and trixie.

[DLA 4655-1] libhtml-parser-perl security update
[DSA 6373-1] lxd security update
[DSA 6372-1] tor security update
ELA-1763-1 libhtml-parser-perl security update
[DLA 4656-1] tor security update

[SECURITY] [DLA 4655-1] libhtml-parser-perl security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4655-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
June 28, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : libhtml-parser-perl
Version : 3.75-1+deb11u1
CVE ID : CVE-2026-8829

Paul Johnson discovered that libhtml-parser-perl, a collection of
modules that parse HTML text documents, read freed heap memory in
_decode_entities().

For Debian 11 bullseye, this problem has been fixed in version
3.75-1+deb11u1.

We recommend that you upgrade your libhtml-parser-perl packages.

For the detailed security status of libhtml-parser-perl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libhtml-parser-perl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6373-1] lxd security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6373-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 28, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : lxd
CVE ID : CVE-2026-9639 CVE-2026-9640 CVE-2026-48749 CVE-2026-48750
CVE-2026-48751 CVE-2026-48752 CVE-2026-48755 CVE-2026-48769
CVE-2026-55621 CVE-2026-55622

Multiple security issues were discovered in LXD, a system container
and virtual machine manager, which could result in a bypass of security
restrictions or the execution of arbitrary commands.

For the stable distribution (trixie), these problems have been fixed in
version 5.0.2+git20231211.1364ae4-9+deb13u7.

We recommend that you upgrade your lxd packages.

For the detailed security status of lxd please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/lxd

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6372-1] tor security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6372-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 28, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : tor
CVE ID : not yet available

Multiple security vulnerabilities were discovered in Tor, a connection-
based low-latency anonymous communication system, would could result in
denial of service.

For the stable distribution (trixie), this problem has been fixed in
version 0.4.9.11-0+deb13u1.

We recommend that you upgrade your tor packages.

For the detailed security status of tor please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tor

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

ELA-1763-1 libhtml-parser-perl security update (by )

Package : libhtml-parser-perl


Version : 3.72-3+deb9u1 (stretch), 3.72-3+deb10u1 (buster)


Related CVEs :

CVE-2026-8829



A heap use-after-free issue was discovered in libhtml-parser-perl
(HTML::Entities module).
The XS routine backing _decode_entities() reads freed heap memory in
some situations, which read may disclose adjacent heap contents.

ELA-1763-1 libhtml-parser-perl security update (by )

[SECURITY] [DLA 4656-1] tor security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4656-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Santiago Ruano Rincón
June 28, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : tor
Version : 0.4.9.11-0+deb12u1
CVE ID : not yet available

Multiple security vulnerabilities were discovered in Tor, a connection-
based low-latency anonymous communication system, would could result in
denial of service.

For Debian 12 bookworm, this problem has been fixed in version
0.4.9.11-0+deb12u1.

We recommend that you upgrade your tor packages.

For the detailed security status of tor please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tor

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS