Debian security teams have issued updates for the libxml-parser-perl package that resolve buffer overflow vulnerabilities found across several older distributions like bullseye and buster. Specifically, these patches handle heap corruption risks which appear when parsing XML files with deep nesting structures or handling UTF8 layers incorrectly. A separate advisory targets roundcube webmail software where multiple flaws including cross-site scripting and access control bypasses exist in current stable releases for bookworm and trixie.

Debian GNU/Linux 9 (Stretch) and 10 (Buster) LTS:
ELA-1675-1 libxml-parser-perl security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4522-1] libxml-parser-perl security update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6196-1] roundcube security update

[SECURITY] [DLA 4522-1] libxml-parser-perl security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4522-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
April 04, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : libxml-parser-perl
Version : 2.46-2+deb11u1
CVE ID : CVE-2006-10003
Debian Bug : 378412

It was discovered that libxml-parser-perl, a Perl module for parsing XML
files, was prone to an off-by-one heap buffer overflow in `st_serial_stack()`.

This update also includes a follow-up improvement change for
CVE-2006-10002 (buffer overwrite in `parse_stream()`.)

For Debian 11 bullseye, these problems have been fixed in version
2.46-2+deb11u1.

We recommend that you upgrade your libxml-parser-perl packages.

For the detailed security status of libxml-parser-perl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libxml-parser-perl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

ELA-1675-1 libxml-parser-perl security update

Package : libxml-parser-perl
Version : 2.44-2+deb9u1 (stretch), 2.44-4+deb10u1 (buster)

Related CVEs :
CVE-2006-10002
CVE-2006-10003

CVE-2006-10002

Buffer overwrite in parse_stream(), which may lead to denial of
service when the filehandle has an :utf8 layer.

CVE-2006-10003

Off-by-one heap buffer overflow in st_serial_stack(), which can be
observed when parsing an XML file with very deep element nesting.

ELA-1675-1 libxml-parser-perl security update

[SECURITY] [DSA 6196-1] roundcube security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6196-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
April 04, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : roundcube
CVE ID : CVE-2026-35537 CVE-2026-35538 CVE-2026-35539 CVE-2026-35540
CVE-2026-35541 CVE-2026-35542 CVE-2026-35543 CVE-2026-35544
CVE-2026-35545
Debian Bug : 1131182 1132268

Multiple vulnerabilities were discovered in roundcube, a skinnable AJAX
based webmail solution for IMAP servers, which could result in
information disclosure, IMAP injection, CSRF bypass, bypass of remote
image blocking, cross-site scripting, access control bypass, or
privilege escalation.

For the oldstable distribution (bookworm), these problems have been fixed
in version 1.6.5+dfsg-1+deb12u8.

For the stable distribution (trixie), these problems have been fixed in
version 1.6.15+dfsg-0+deb13u1.

We recommend that you upgrade your roundcube packages.

For the detailed security status of roundcube please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/roundcube

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/