[DLA 4589-1] nginx security update
[DLA 4590-1] erlang security update
[DSA 62801] netatalk security update
[SECURITY] [DLA 4589-1] nginx security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4589-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Carlos Henrique Lima Melara
May 18, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : nginx
Version : 1.18.0-6.1+deb11u6
CVE ID : CVE-2025-53859 CVE-2026-1642 CVE-2026-27651 CVE-2026-27654
CVE-2026-27784 CVE-2026-28753 CVE-2026-32647 CVE-2026-40701
CVE-2026-42934 CVE-2026-42945 CVE-2026-42946
Debian Bug : 1111138 1127053
Multiple vulnerabilities were discoverd in Nginx, a high-performance web and
reverse proxy server, which could result in bypass of authorisation rules or
rate limits, denial of service or memory disclosure.
CVE-2025-53859
NGINX Open Source has a vulnerability in the ngx_mail_smtp_module that
might allow an unauthenticated attacker to over-read NGINX SMTP
authentication process memory; as a result, the server side may leak
arbitrary bytes sent in a request to the authentication server. This issue
happens during the NGINX SMTP authentication process and requires the
attacker to make preparations against the target system to extract the
leaked data. The issue affects NGINX only if (1) it is built with the
ngx_mail_smtp_module, (2) the smtp_auth directive is configured with method
"none," and (3) the authentication server returns the "Auth-Wait" response
header.
CVE-2026-1642
A vulnerability exists in NGINX OSS when configured to proxy to upstream
Transport Layer Security (TLS) servers. An attacker with a
man-in-the-middle (MITM) position on the upstream server side—along with
conditions beyond the attacker's control—may be able to inject plain text
data into the response from an upstream proxied server.
CVE-2026-27651
When the ngx_mail_auth_http_module module is enabled on NGINX Open Source,
undisclosed requests can cause worker processes to terminate. This issue
may occur when (1) CRAM-MD5 or APOP authentication is enabled, and (2) the
authentication server permits retry by returning the Auth-Wait response
header.
CVE-2026-27654
NGINX Open Source has a vulnerability in the ngx_http_dav_module module
that might allow an attacker to trigger a buffer overflow to the NGINX
worker process; this vulnerability may result in termination of the NGINX
worker process or modification of source or destination file names outside
the document root. This issue affects NGINX Open Source when the
configuration file uses DAV module MOVE or COPY methods, prefix location
(nonregular expression location configuration), and alias directives. The
integrity impact is constrained because the NGINX worker process user has
low privileges and does not have access to the entire system.
CVE-2026-27784
The 32-bit implementation of NGINX Open Source has a vulnerability in the
ngx_http_mp4_module module, which might allow an attacker to over-read or
over-write NGINX worker memory resulting in its termination, using a
specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source
if it is built with the ngx_http_mp4_module module and the mp4 directive is
used in the configuration file. Additionally, the attack is possible only
if an attacker can trigger the processing of a specially crafted MP4 file
with the ngx_http_mp4_module module.
CVE-2026-28753
NGINX Open Source has a vulnerability in the ngx_mail_smtp_module module
due to the improper handling of CRLF sequences in DNS responses. This
allows an attacker-controlled DNS server to inject arbitrary headers into
SMTP upstream requests, leading to potential request manipulation.
CVE-2026-32647
NGINX Open Source has a vulnerability in the ngx_http_mp4_module module,
which might allow an attacker to trigger a buffer over-read or over-write
to the NGINX worker memory resulting in its termination or possibly code
execution, using a specially crafted MP4 file. This issue affects NGINX
Open Source if it is built with the ngx_http_mp4_module module and the mp4
directive is used in the configuration file. Additionally, the attack is
possible only if an attacker can trigger the processing of a specially
crafted MP4 file with the ngx_http_mp4_module module.
CVE-2026-40701
NGINX Open Source has a vulnerability in the ngx_http_ssl_module module
when the ssl_verify_client directive is set to "on" or "optional," and the
ssl_ocsp directive is set to "on" or the leaf parameters are configured
with a resolver. With this configuration, an unauthenticated attacker can
send requests along with conditions beyond its control that may cause a
heap-use-after-free error in the NGINX worker process. This vulnerability
may result in limited modification of data or the NGINX worker process
restarting.
CVE-2026-42934
NGINX Open Source has a vulnerability in the ngx_http_charset_module
module. When charset, source_charset, and charset_map and proxy_pass with
disabled buffering ("off") directives are configured, unauthenticated
attackers can send requests that with conditions beyond the attackers'
control to cause a heap buffer over-read in the NGINX worker process,
leading to limited disclosure of memory or a restart.
CVE-2026-42945
NGINX Open Source has a vulnerability in the ngx_http_rewrite_module
module. This vulnerability exists when the rewrite directive is followed by
a rewrite, if, or set directive and an unnamed Perl-Compatible Regular
Expression (PCRE) capture (for example, $1, $2) with a replacement string
that includes a question mark (?). An unauthenticated attacker along with
conditions beyond its control can exploit this vulnerability by sending
crafted HTTP requests. This may cause a heap buffer overflow in the NGINX
worker process leading to a restart. Additionally, for systems with Address
Space Layout Randomization (ASLR) disabled, code execution is possible.
CVE-2026-42946
A vulnerability exists in the ngx_http_scgi_module and
ngx_http_uwsgi_module modules that may result in excessive memory
allocation or an over-read of data. When scgi_pass or uwsgi_pass is
configured, an unauthenticated attacker with man-in-the-middle (MITM)
ability to control responses from an upstream server may be able to read
the memory of the NGINX worker process or restart it.
For Debian 11 bullseye, these problems have been fixed in version
1.18.0-6.1+deb11u6.
We recommend that you upgrade your nginx packages.
For the detailed security status of nginx please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nginx
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4590-1] erlang security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4590-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Lucas Kanashiro
May 18, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : erlang
Version : 1:23.2.6+dfsg-1+deb11u4
CVE ID : CVE-2026-21620 CVE-2026-23941 CVE-2026-23942 CVE-2026-23943
Debian Bug : 1128651 1130912
Multiple vulnerabilities were discoverd in Erlang, a concurrent, real-time,
distributed functional language.
CVE-2026-21620
Insufficient path sanitizing in tftp_file module.
CVE-2026-23941
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
vulnerability in Erlang OTP (inets httpd module) allows HTTP Request
Smuggling.
CVE-2026-23942
Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal') vulnerability in Erlang OTP (ssh_sftpd module) allows Path
Traversal.
CVE-2026-23943
Improper Handling of Highly Compressed Data (Compression Bomb)
vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of
Service via Resource Depletion.
For Debian 11 bullseye, these problems have been fixed in version
1:23.2.6+dfsg-1+deb11u4.
We recommend that you upgrade your erlang packages.
For the detailed security status of erlang please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/erlang
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 62801] netatalk security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6280-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 18, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : netatalk
CVE ID : CVE-2026-44047 CVE-2026-44048 CVE-2026-44049 CVE-2026-44050
CVE-2026-44051 CVE-2026-44052 CVE-2026-44054 CVE-2026-44055
CVE-2026-44057 CVE-2026-44060 CVE-2026-44062 CVE-2026-44064
CVE-2026-44066 CVE-2026-44068 CVE-2026-44076 CVE-2026-45354
CVE-2026-45355 CVE-2026-45356 CVE-2026-45698 CVE-2026-45699
Multiple security vulnerabilities were found in Netatalk, an
implementation of the Apple Filing Protocol (AFP), which could result in
denial of service, information disclosure or the execution of arbitrary
code.
For the stable distribution (trixie), these problems have been fixed in
version 4.2.3~ds-1+deb13u2.
We recommend that you upgrade your netatalk packages.
For the detailed security status of netatalk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/netatalk
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
