Debian system administrators need to apply urgent security patches that address serious flaws across several widely used libraries and cloud infrastructure tools. The libinput driver requires an immediate upgrade because flawed device property handling could allow attackers to gain unauthorized root access on affected machines. Meanwhile, OpenStack deployments face multiple risks including data exposure and network rule bypasses until ironic and neutron receive their respective version updates. Developers relying on XML processing frameworks must also install fresh releases to stop recursive parsing errors from crashing applications or leaking sensitive memory information.

[DSA 6339-1] libinput security update
[DSA 6338-1] libdbi-perl security update
[DLA 4626-1] libinput security update
[DSA 6341-1] ironic security update
[DSA 6340-1] neutron security update
ELA-1753-1 libxml2 security update (by )

[SECURITY] [DSA 6339-1] libinput security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6339-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 11, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libinput
CVE ID : CVE-2026-50292

It was discovered that a udev helper provided by libinput, a input
device management and event handling library, performed insufficient
sanitising of device properties, which can result in local privilege
escalation in some setups.

For the oldstable distribution (bookworm), this problem has been fixed
in version 1.22.1-1+deb12u1.

For the stable distribution (trixie), this problem has been fixed in
version 1.28.1-1+deb13u1.

We recommend that you upgrade your libinput packages.

For the detailed security status of libinput please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/libinput

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6338-1] libdbi-perl security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6338-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 11, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libdbi-perl
CVE ID : CVE-2026-9698 CVE-2026-10879

Two vulnerabilities were discovered in libdbi-perl, a Perl framework
that provides a common interface to access various backend databases in
a uniform manner, which may result in denial of service, or potentially
the execution of arbitrary code.

For the oldstable distribution (bookworm), these problems have been fixed
in version 1.643-4+deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 1.647-1+deb13u1.

We recommend that you upgrade your libdbi-perl packages.

For the detailed security status of libdbi-perl please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/libdbi-perl

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4626-1] libinput security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4626-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Santiago Ruano Rincón
June 11, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : libinput
Version : 1.16.4-3+deb11u1
CVE ID : CVE-2022-1215 CVE-2026-50292

Two vulnerabilities were found in libinput, an input device management
and event handling library.

CVE-2022-1215

libinput did not properly handled evdev devices, which may potentially be
exploited by malicious local users in specific setup to execute arbitrary
code. Reported by Albin Eldstål-Ahrens and Lukas Lamster.

CVE-2026-50292

A udev helper provided by libinput performed insufficient sanitising of
device properties, which can result in local privilege escalation in
some setups. Reported by Csome.

For Debian 11 bullseye, these problems have been fixed in version
1.16.4-3+deb11u1.

We recommend that you upgrade your libinput packages.

For the detailed security status of libinput please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libinput

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6341-1] ironic security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6341-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 11, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ironic
CVE ID : CVE-2024-44082 CVE-2026-42997 CVE-2026-44916
CVE-2026-44917 CVE-2026-44919 CVE-2026-46447
CVE-2026-48681

Multiple security vulnerabilities were discovered in Ironic, the
OpenStack component to manage and provision baremetal servers, which
could result in information disclosure or denial of service.

For the oldstable distribution (bookworm), these problems have been fixed
in version 1:21.4.4-0+deb12u1. In addition python-oslo.messaging needed
to be updated to 14.0.3-0+deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 1:29.0.5-0+deb13u2. In addition python-oslo.messaging needed
to be updated to 16.1.0-3+deb13u1.

We recommend that you upgrade your ironic packages.

For the detailed security status of ironic please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ironic

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6340-1] neutron security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6340-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 11, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : neutron
CVE ID : CVE-2026-50266

Tim Shepard discovered a vulnerability in Neutron, the OpenStack virtual
network service, which allowed the bypass of port RBAC rules.

The oldstable distribution (bookworm) is not affected.

For the stable distribution (trixie), this problem has been fixed in
version 2:26.0.3-0+deb13u2.

We recommend that you upgrade your neutron packages.

For the detailed security status of neutron please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/neutron

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

ELA-1753-1 libxml2 security update (by )

Package : libxml2

Version : 2.9.4+dfsg1-2.2+deb9u16 (stretch), 2.9.4+dfsg1-7+deb10u14 (buster)

Related CVEs :
CVE-2025-8732
CVE-2026-0989
CVE-2026-0990
CVE-2026-0992
CVE-2026-1757

Several security issues were found in libxml2, the GNOME XML library,
which could lead to Denial of Service.

CVE-2025-8732

Catalog parsing functions were missing cycle detection. When a
catalog file contains a CATALOG directive pointing to itself,
xmlExpandCatalog() and xmlParseSGMLCatalog() recursively call
each other without bounds until stack overflow.

CVE-2026-0989

The RelaxNG parser does not limit the recursion depth when resolving
directives, which may lead to stack overflow on
malicious RelaxNG schema file.

CVE-2026-0990

Nick Wellnhofer discovered that xmlCatalogXMLResolveURI() will
recurse infinitely if a catalog has a URI delegate referencing
itself, eventually resulting in a call stack overflow.

CVE-2026-0992

Nick Wellnhofer discovered that processing a chain of XML catalogs
linked with and having the element
takes exponential time, leading to denial of service via resource
exhaustion.

CVE-2026-1757

The command parsing logic of the xmllint(1) interactive shell was
found to leak memory.

In addition, a few other security issues were found for which no CVE ID
was assigned yet:

Memory leak of prefix in xmlTextWriterStartElementNS().
Potential use-after-free issue in xmlRelaxNGValidateValue().
Memory leak in xmlTextWriterStartAttributeNS().
Additional memory leaks on error paths in schematron.
Stack overflow from self-referencing SGML CATALOG entries.

ELA-1753-1 libxml2 security update (by )