[DLA 4679-1] mesa security update
[DLA 4681-1] p7zip security update
[DLA 4682-1] redis security update
[DLA 4680-1] imagemagick security update
[SECURITY] [DLA 4679-1] mesa security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4679-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
July 13, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : mesa
Version : 20.3.5-1+deb11u1 $bookworm_VERSION
CVE ID : CVE-2026-40393
Debian Bug :
A vulnerability has been found in the mesa 3D graphics library, possibly
allowing out of bound memory access by craftet input.
CVE-2026-40393
An out-of-bounds memory access can occur in WebGPU because the amount
of to-be-allocated data depends on an untrusted party, and is then
used for alloca.
For Debian 11 bullseye, this problem has been fixed in version
20.3.5-1+deb11u1.
For Debian 12 bookworm, this problem has been fixed in version
$bookworm_VERSION.
We recommend that you upgrade your mesa packages.
For the detailed security status of mesa please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mesa
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4681-1] p7zip security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4681-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sylvain Beucler
July 13, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : p7zip
Version : 16.02+really26.01+dfsg-0+deb11u1
CVE ID : CVE-2026-48092 CVE-2026-48095 CVE-2026-48101 CVE-2026-48102
CVE-2026-48103 CVE-2026-48104 CVE-2026-48111 CVE-2026-48112
Multiple memory corruption vulnerabilities were discovered in p7zip, a
now unmaintained fork of 7-Zip, which itself is a file archiver
handling multiple formats.
To address these security vulnerabilities, whose fixes are
unfortunately not isolated, this update again replaces p7zip with a
recent 7-Zip (now v26.01), slightly modified to make it reasonably
compatible with p7zip.
CVE-2026-48092
SquashFS Fragment Offset Overflow
CVE-2026-48095
Heap Buffer Write Overflow
CVE-2026-48101
UEFI Capsule uninitialized heap memory disclosure
CVE-2026-48102
UDF Field OOB Read
CVE-2026-48103
WIM SecurityId OOB read
CVE-2026-48104
SquashFS BlockToNode uninitialized heap read
CVE-2026-48111
UEFI DEPEX OOB Read
CVE-2026-48112
Ar SYMDEF OOB Read
For Debian 11 bullseye, these problems have been fixed in version
16.02+really26.01+dfsg-0+deb11u1.
We recommend that you upgrade your p7zip packages.
For the detailed security status of p7zip please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/p7zip
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4682-1] redis security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4682-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
July 13, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : redis
Version : 5:7.0.15-1~deb12u8
CVE ID : CVE-2026-23631 CVE-2026-25243
It was discovered that there were two issues in Redis, the in-memory
key/value database:
CVE-2026-23631
An authenticated attacker could have exploited the master-replica
synchronization mechanism to trigger a use-after-free on replicas
where "replica-read-only" is disabled (or could be disabled),
which may have led to remote code execution. Installations that
prevent users from executing Lua scripts were unaffected.
CVE-2026-25243
The RESTORE command did not properly validate serialized values.
An authenticated attacker with permission to execute RESTORE
could have suppled a crafted serialized payload that triggers
invalid memory access and this could have led to remote code
execution.
For Debian 12 bookworm, these problems have been fixed in version
5:7.0.15-1~deb12u8.
We recommend that you upgrade your redis packages.
For the detailed security status of redis please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/redis
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4680-1] imagemagick security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4680-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
July 13, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : imagemagick
Version : 8:6.9.11.60+dfsg-1.3+deb11u15 8:6.9.11.60+dfsg-1.6+deb12u12
CVE ID : CVE-2026-53466 CVE-2026-53467 CVE-2026-55577 CVE-2026-55594
CVE-2026-55595 CVE-2026-55597 CVE-2026-55628 CVE-2026-56361
CVE-2026-56363 CVE-2026-56365 CVE-2026-56366 CVE-2026-56367
CVE-2026-56368 CVE-2026-56370 CVE-2026-56371 CVE-2026-56373
CVE-2026-56376 CVE-2026-56377 CVE-2026-56378
Multiple security vulnerabilities were discovered in imagemagick, a
software suite used for editing and manipulating digital images, which
could lead to denial of service, information disclosure or potentially
arbitrary code execution if malformed images are processed.
For Debian 11 bullseye, these problems have been fixed in version
8:6.9.11.60+dfsg-1.3+deb11u15.
For Debian 12 bookworm, these problems have been fixed in version
8:6.9.11.60+dfsg-1.6+deb12u12
We recommend that you upgrade your imagemagick packages.
For the detailed security status of imagemagick please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/imagemagick
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS