Debian has released several security updates to address vulnerabilities in various packages. The first update affects libstb, which is used for single-file image and audio processing libraries for C/C++ programmers, and fixes multiple buffer overflow and denial-of-service vulnerabilities. Meanwhile, nss, a Mozilla Network Security Service library, was also updated to fix an integer overflow issue that could allow an attacker to cause a denial of service. Additionally, python-django, chromium, and other packages received security updates to address various issues, including arbitrary code execution, denial of service, and information disclosure vulnerabilities.

[DLA 4493-1] libstb security update
[DSA 6149-1] nss security update
[DSA 6150-1] python-django security update
[DSA 6151-1] chromium security update

[SECURITY] [DLA 4493-1] libstb security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4493-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Abhijith PA
February 26, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : libstb
Version : 0.0~git20200713.b42009b+ds-1+deb11u1
CVE ID : CVE-2021-28021 CVE-2021-37789 CVE-2021-42715 CVE-2022-28041
CVE-2022-28042

Several vulnerabilities were discovered in libstb, single-file image
and audio processing libraries for C/C++.

CVE-2021-28021

Buffer overflow vulnerability in function stbi__extend_receive in
stb_image.h. Can be exploited with a crafted JPEG file.

CVE-2021-37789

a heap-based buffer over in stbi__jpeg_load, leading to
Information Disclosure or Denial of Service.

CVE-2021-42715

The HDR loader parsed truncated end-of-file RLE scanlines as an
infinite sequence of zero-length runs. An attacker could
potentially have caused denial of service in applications using
stb_image by submitting crafted HDR files.

CVE-2022-28041

an integer overflow via the function
stbi__jpeg_decode_block_prog_dc. This vulnerability allows
attackers to cause a Denial of Service (DoS) via unspecified
vectors.

CVE-2022-28042

a heap-based use-after-free via the function
stbi__jpeg_huff_decode.

For Debian 11 bullseye, these problems have been fixed in version
0.0~git20200713.b42009b+ds-1+deb11u1.

We recommend that you upgrade your libstb packages.

For the detailed security status of libstb please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libstb

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6149-1] nss security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6149-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
February 26, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : nss
CVE ID : CVE-2026-2781

Clay Ver Valen discovered an integer overflow in the AES-GCM
implementation of the Mozilla Network Security Service libraries.

For the oldstable distribution (bookworm), this problem has been fixed
in version 2:3.87.1-1+deb12u2.

For the stable distribution (trixie), this problem has been fixed in
version 2:3.110-1+deb13u1.

We recommend that you upgrade your nss packages.

For the detailed security status of nss please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nss

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6150-1] python-django security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6150-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
February 26, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : python-django
CVE ID : CVE-2025-13473 CVE-2025-14550 CVE-2026-1207 CVE-2026-1285
CVE-2026-1287 CVE-2026-1312

Multiple security issues were found in Django, a Python web development
framework, which could result in denial of service, information
disclosure or SQL injection.

For the oldstable distribution (bookworm), these problems have been fixed
in version 3:3.2.25-0+deb12u2.

For the stable distribution (trixie), these problems have been fixed in
version 3:4.2.28-0+deb13u1.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-django

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6151-1] chromium security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6151-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
February 26, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium
CVE ID : CVE-2026-3061 CVE-2026-3062 CVE-2026-3063

Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.

For the oldstable distribution (bookworm), these problems have been fixed
in version 145.0.7632.116-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 145.0.7632.116-1~deb13u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/