Several Debian security advisories were released recently to address critical vulnerabilities across a range of software packages. The libpng1.6 library requires immediate attention on stretch and buster systems because use-after-free errors could allow attackers to run arbitrary code. Flaws in other tools like pyasn1, inetutils, and python-tornado present different dangers including denial of service or privilege escalation risks that need addressing.

Debian GNU/Linux 9 (Stretch) 9 ELTS:
ELA-1674-1 libpng1.6 security update

Debian GNU/Linux 10 (Buster) 10 ELTS:
ELA-1673-1 libpng1.6 security update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6194-1] pyasn1 security update
[DSA 6193-1] inetutils security update
[DSA 6195-1] python-tornado security update

ELA-1674-1 libpng1.6 security update

Package : libpng1.6

Version : 1.6.28-1+deb9u4 (stretch)

Related CVEs :
CVE-2026-33416

A security vulnerabilities has been discovered in libpng, a library implementing an interface for reading and writing PNG (Portable Network Graphics) files, which could result potentially the execution of arbitrary code.
CVE-2026-33416
Use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`, potentially allowing arbitrary code execution

ELA-1674-1 libpng1.6 security update

ELA-1673-1 libpng1.6 security update

Package : libpng1.6

Version : 1.6.36-6+deb10u3 (buster)

Related CVEs :
CVE-2026-33416
CVE-2026-33636

Two security vulnerabilities were discovered in libpng, a library implementing an interface for reading and writing PNG (Portable Network Graphics) files, which could result in denial of service or potentially the execution of arbitrary code.
CVE-2026-33416
Use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`, potentially allowing arbitrary code execution

CVE-2026-33636
Out-of-bounds read/write in the palette expansion on ARM Neon, potentially causing a crash (DoS)

ELA-1673-1 libpng1.6 security update

[SECURITY] [DSA 6194-1] pyasn1 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6194-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
April 03, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : pyasn1
CVE ID : CVE-2026-30922
Debian Bug : 1131371

It was discovered that pyasn1, a generic ASN.1 library for Python, is
prone to a denial of service vulnerability when decoding ASN.1 data with
deeply nested structures.

For the oldstable distribution (bookworm), this problem has been fixed
in version 0.4.8-3+deb12u2.

For the stable distribution (trixie), this problem has been fixed in
version 0.6.1-1+deb13u2.

We recommend that you upgrade your pyasn1 packages.

For the detailed security status of pyasn1 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/pyasn1

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6193-1] inetutils security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6193-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
April 03, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : inetutils
CVE ID : CVE-2026-32746 CVE-2026-32772
Debian Bug : 1130741 1130742

Several vulnerabilities were discovered in the inetutils implementation
of telnetd and telnet, which may result in privilege escalation or
information disclosure.

For the oldstable distribution (bookworm), these problems have been fixed
in version 2:2.4-2+deb12u3.

For the stable distribution (trixie), these problems have been fixed in
version 2:2.6-3+deb13u3.

We recommend that you upgrade your inetutils packages.

For the detailed security status of inetutils please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/inetutils

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6195-1] python-tornado security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6195-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 03, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : python-tornado
CVE ID : CVE-2025-67724 CVE-2025-67725 CVE-2025-67726

Multiple security vulnerabilities were discovered in the Tornado Python
web framework, which could result in denial of service, header injection
or cross-site scripting.

For the oldstable distribution (bookworm), this problem has been fixed
in version 6.2.0-3+deb12u4.

For the stable distribution (trixie), this problem has been fixed in
version 6.4.2-3+deb13u2.

We recommend that you upgrade your python-tornado packages.

For the detailed security status of python-tornado please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-tornado

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/