Debian administrators should immediately apply a fresh batch of security patches released to protect their systems from multiple critical flaws across popular open source applications. LibreOffice and Nginx received urgent fixes for memory corruption and remote execution vulnerabilities that could allow attackers to crash software or take full control of affected machines through malicious files or network requests. Firefox ESR faces numerous sandbox escape and privilege escalation risks while Atril contains a dangerous command injection bug triggered by specially crafted PDF documents.

[DLA 4633-1] libreoffice security update
[DLA 4634-1] nginx security update
[DSA 6350-1] firefox-esr security update
[DSA 6349-1] atril security update

[SECURITY] [DLA 4633-1] libreoffice security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4633-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Rene Engelhard
June 17, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : libreoffice
Version : 4:7.4.7-1+deb12u13
CVE ID : CVE-2026-6039 CVE-2026-6045 CVE-2026-8356 CVE-2026-8357
CVE-2026-8358

Multiple security vulnerabilities were discovered in LibreOffice,
which could result in denial of service or potentially the execution
of arbitrary code if malformed files are opened.

For Debian 12 bookworm, these problems have been fixed in version
4:7.4.7-1+deb12u13.

We recommend that you upgrade your libreoffice packages.

For the detailed security status of libreoffice please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libreoffice

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4634-1] nginx security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4634-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Carlos Henrique Lima Melara
June 17, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : nginx
Version : 1.18.0-6.1+deb11u7
CVE ID : CVE-2026-9256
Debian Bug : 1137339

A vulnerability was discoverd in Nginx, a high-performance web and reverse
proxy server, which could result in remote code execution and denial of
service.

For Debian 11 bullseye, this problem has been fixed in version
1.18.0-6.1+deb11u7.

We recommend that you upgrade your nginx packages.

For the detailed security status of nginx please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nginx

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6350-1] firefox-esr security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6350-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 17, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : firefox-esr
CVE ID : CVE-2026-12289 CVE-2026-12290 CVE-2026-12291 CVE-2026-12292
CVE-2026-12294 CVE-2026-12295 CVE-2026-12296 CVE-2026-12297
CVE-2026-12298 CVE-2026-12299 CVE-2026-12302 CVE-2026-12304
CVE-2026-12305 CVE-2026-12306 CVE-2026-12307 CVE-2026-12308
CVE-2026-12309 CVE-2026-12310 CVE-2026-12311 CVE-2026-12312
CVE-2026-12313 CVE-2026-12314 CVE-2026-12315 CVE-2026-12324
CVE-2026-12325 CVE-2026-12327 CVE-2026-12328 CVE-2026-12329
CVE-2026-12330

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code, bypass of the same-origin policy, privilege escalation,
information disclosure, spoofing or sandbox escape.

For the stable distribution (trixie), these problems have been fixed in
version 140.12.0esr-1~deb13u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6349-1] atril security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6349-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 17, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : atril
CVE ID : CVE-2026-46529
Debian Bug : 1139874

It was discovered that atril, the MATE document viewer, is prone to a
command injection vulnerability if a specially crafted PDF file is
opened.

For the stable distribution (trixie), this problem has been fixed in
version 1.26.2-4+deb13u1.

We recommend that you upgrade your atril packages.

For the detailed security status of atril please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/atril

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/