Debian 10994 Published by

Debian Long Term Support issued security advisories DLA-4679 through DLA-4682 to patch vulnerabilities in mesa, p7zip, redis, and imagemagick. These updates resolve critical flaws including WebGPU memory corruption in mesa, a cluster of eight memory issues in the p7zip archiver, and potential remote code execution bugs in redis and imagemagick triggered by malformed input or authenticated attacks. Administrators managing Debian 11 bullseye must upgrade mesa to 20.3.5-1+deb11u1, p7zip to 16.02+really26.01+dfsg-0+deb11u1, and imagemagick to 8:6.9.11.60+dfsg-1.3+deb11u15, while Debian 12 bookworm users should apply the fix to redis version 5:7.0.15-1~deb12u8, imagemagick version 8:6.9.11.60+dfsg-1.6+deb12u12, and a mesa update currently denoted by a version placeholder. p7zip specifically receives a replacement with a modified 7-Zip release to address its lack of active maintenance, and Debian LTS urges immediate installation of these updates via standard package management tools.

[DLA 4679-1] mesa security update
[DLA 4681-1] p7zip security update
[DLA 4682-1] redis security update
[DLA 4680-1] imagemagick security update



[SECURITY] [DLA 4679-1] mesa security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-4679-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
July 13, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : mesa
Version : 20.3.5-1+deb11u1 $bookworm_VERSION
CVE ID : CVE-2026-40393
Debian Bug :

A vulnerability has been found in the mesa 3D graphics library, possibly
allowing out of bound memory access by craftet input.

CVE-2026-40393

An out-of-bounds memory access can occur in WebGPU because the amount
of to-be-allocated data depends on an untrusted party, and is then
used for alloca.

For Debian 11 bullseye, this problem has been fixed in version
20.3.5-1+deb11u1.

For Debian 12 bookworm, this problem has been fixed in version
$bookworm_VERSION.

We recommend that you upgrade your mesa packages.

For the detailed security status of mesa please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mesa

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 4681-1] p7zip security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4681-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sylvain Beucler
July 13, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : p7zip
Version : 16.02+really26.01+dfsg-0+deb11u1
CVE ID : CVE-2026-48092 CVE-2026-48095 CVE-2026-48101 CVE-2026-48102
CVE-2026-48103 CVE-2026-48104 CVE-2026-48111 CVE-2026-48112

Multiple memory corruption vulnerabilities were discovered in p7zip, a
now unmaintained fork of 7-Zip, which itself is a file archiver
handling multiple formats.

To address these security vulnerabilities, whose fixes are
unfortunately not isolated, this update again replaces p7zip with a
recent 7-Zip (now v26.01), slightly modified to make it reasonably
compatible with p7zip.

CVE-2026-48092

SquashFS Fragment Offset Overflow

CVE-2026-48095

Heap Buffer Write Overflow

CVE-2026-48101

UEFI Capsule uninitialized heap memory disclosure

CVE-2026-48102

UDF Field OOB Read

CVE-2026-48103

WIM SecurityId OOB read

CVE-2026-48104

SquashFS BlockToNode uninitialized heap read

CVE-2026-48111

UEFI DEPEX OOB Read

CVE-2026-48112

Ar SYMDEF OOB Read

For Debian 11 bullseye, these problems have been fixed in version
16.02+really26.01+dfsg-0+deb11u1.

We recommend that you upgrade your p7zip packages.

For the detailed security status of p7zip please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/p7zip

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 4682-1] redis security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4682-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
July 13, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : redis
Version : 5:7.0.15-1~deb12u8
CVE ID : CVE-2026-23631 CVE-2026-25243

It was discovered that there were two issues in Redis, the in-memory
key/value database:

CVE-2026-23631

An authenticated attacker could have exploited the master-replica
synchronization mechanism to trigger a use-after-free on replicas
where "replica-read-only" is disabled (or could be disabled),
which may have led to remote code execution. Installations that
prevent users from executing Lua scripts were unaffected.

CVE-2026-25243

The RESTORE command did not properly validate serialized values.
An authenticated attacker with permission to execute RESTORE
could have suppled a crafted serialized payload that triggers
invalid memory access and this could have led to remote code
execution.

For Debian 12 bookworm, these problems have been fixed in version
5:7.0.15-1~deb12u8.

We recommend that you upgrade your redis packages.

For the detailed security status of redis please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/redis

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 4680-1] imagemagick security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4680-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
July 13, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : imagemagick
Version : 8:6.9.11.60+dfsg-1.3+deb11u15 8:6.9.11.60+dfsg-1.6+deb12u12
CVE ID : CVE-2026-53466 CVE-2026-53467 CVE-2026-55577 CVE-2026-55594
CVE-2026-55595 CVE-2026-55597 CVE-2026-55628 CVE-2026-56361
CVE-2026-56363 CVE-2026-56365 CVE-2026-56366 CVE-2026-56367
CVE-2026-56368 CVE-2026-56370 CVE-2026-56371 CVE-2026-56373
CVE-2026-56376 CVE-2026-56377 CVE-2026-56378

Multiple security vulnerabilities were discovered in imagemagick, a
software suite used for editing and manipulating digital images, which
could lead to denial of service, information disclosure or potentially
arbitrary code execution if malformed images are processed.

For Debian 11 bullseye, these problems have been fixed in version
8:6.9.11.60+dfsg-1.3+deb11u15.

For Debian 12 bookworm, these problems have been fixed in version
8:6.9.11.60+dfsg-1.6+deb12u12

We recommend that you upgrade your imagemagick packages.

For the detailed security status of imagemagick please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/imagemagick

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS