Debian released three security advisories targeting vulnerabilities found in libpng1.6, lxd, and netty. These flaws pose significant risks including privilege escalation or denial of service attacks against users running older distributions. The Netty advisory highlights distinct threats such as SMTP command injection which could allow attackers to forge emails from trusted servers. Users should upgrade their packages now using the specific version numbers provided for their respective Debian releases.

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4519-1] netty security update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6189-1] libpng1.6 security update
[DSA 6188-1] lxd security update

[SECURITY] [DSA 6189-1] libpng1.6 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6189-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 31, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libpng1.6
CVE ID : CVE-2026-33416 CVE-2026-33636

Two security vulnerabilities were discovered in libpng, a library
implementing an interface for reading and writing PNG (Portable Network
Graphics) files, which could result in denial of service or potentially
the execution of arbitrary code.

For the oldstable distribution (bookworm), these problems have been fixed
in version 1.6.39-2+deb12u4.

For the stable distribution (trixie), these problems have been fixed in
version 1.6.48-1+deb13u4.

We recommend that you upgrade your libpng1.6 packages.

For the detailed security status of libpng1.6 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libpng1.6

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6188-1] lxd security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6188-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 31, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : lxd
CVE ID : CVE-2026-28384 CVE-2026-33542 CVE-2026-33897

Multiple security issues were discovered in LXD, a system container
and virtual machine manager, which could result in privilege escalation
or the execution of arbitrary commands.

For the oldstable distribution (bookworm), these problems have been fixed
in version 5.0.2-5+deb12u4.

For the stable distribution (trixie), these problems have been fixed in
version 5.0.2+git20231211.1364ae4-9+deb13u4.

We recommend that you upgrade your lxd packages.

For the detailed security status of lxd please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/lxd

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4519-1] netty security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4519-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
March 31, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : netty
Version : 1:4.1.48-4+deb11u3
CVE ID : CVE-2024-29025 CVE-2025-55163 CVE-2025-58056 CVE-2025-58057
CVE-2025-59419 CVE-2025-67735
Debian Bug : 1068110 1111105 1113994 1118282 1123606

Several security vulnerabilities have been discovered in Netty, a Java NIO
client/server socket framework. It was found that Netty was vulnerable to the
MadeYouReset DDoS attack, a logical vulnerability in the HTTP/2 protocol
itself and programming errors which enabled request smuggling attacks.
Additionally Netty contained an SMTP command injection vulnerability due to
insufficient input validation potentially allowing remote attackers to forge
arbitrary emails from trusted servers.

The security update also contains the fix for CVE-2024-29025.
Julien Viet discovered that Netty was vulnerable to allocation of resources
without limits or throttling due to the accumulation of data in the
HttpPostRequestDecoder. This would allow an attacker to cause a denial of
service.

For Debian 11 bullseye, these problems have been fixed in version
1:4.1.48-4+deb11u3.

We recommend that you upgrade your netty packages.

For the detailed security status of netty please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/netty

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS