Debian 10973 Published by

Debian released four security advisories on June 30, 2026, to patch critical vulnerabilities in nginx and librabbitmq across multiple operating system versions. The nginx patches address two distinct flaws that could allow unauthenticated attackers to trigger heap buffer overflows or memory leaks, affecting both Debian 11 and Debian 13. Administrators must also update librabbitmq to resolve an underflow issue and a handshake overflow that compromise AMQP connections on Debian 11 and Debian 12. The advisory tracker update simultaneously marks the end of long-term security support for pagure, suricata, webkit2gtk, spip, and zulucrypt, while placing epiphany-browser and libsoup2.4 under limited protection.

[DLA 4660-1] nginx security update
[DLA 4659-1] debian-security-support update
[DLA 4658-1] librabbitmq security update
[DSA 6374-1] nginx security update




[SECURITY] [DLA 4660-1] nginx security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-4660-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Carlos Henrique Lima Melara
June 30, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : nginx
Version : 1.18.0-6.1+deb11u8
CVE ID : CVE-2026-42055 CVE-2026-48142
Debian Bug : 1138794 1140359 1140361

Multiple vulnerabilities were discoverd in Nginx, a high-performance web
and reverse proxy server, which could result in remote code execution,
denial of service or memory disclosure.

CVE-2026-42055

NGINX Open Source has a vulnerability in the ngx_http_proxy_v2_module and
ngx_http_grpc_module modules. This vulnerability exists when the
proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2
traffic, the ignore_invalid_headers directive is set to off, and the
large_client_header_buffers directive size is larger than 2 megabytes. A
remote, unauthenticated attacker, along with conditions beyond their
control, could send large headers while creating an upstream request. This
may cause a heap-based buffer overflow in the NGINX worker process leading
to a restart. Additionally, attackers can execute code on systems with
Address Space Layout Randomization (ASLR) disabled or when the attacker can
bypass ASLR.

CVE-2026-48142

NGINX Open Source has a vulnerability in the ngx_http_charset_module module.
When content is served or proxied through a location block with both
source_charset utf-8; and a charset directive (for example, charset koi8-r;)
configured, remote, unauthenticated attackers can send requests (in
conjunction with conditions beyond their control) to cause a heap buffer
over-read in the NGINX worker process, leading to limited disclosure of
memory or a restart.

No CVE assigned yet

HTTP/2 Bomb denial of service

For Debian 11 bullseye, these problems have been fixed in version
1.18.0-6.1+deb11u8.

We recommend that you upgrade your nginx packages.

For the detailed security status of nginx please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nginx

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 4659-1] debian-security-support update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-4659-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Santiago Ruano Rincón
June 30, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : debian-security-support
Version : 1:11+2026.06.30
Debian Bug : 1109118 1121942 1135153

debian-security-support, the Debian security support coverage checker, has been
updated in bullseye-security to mark the end of security support of the
following packages:

* pagure
* suricata
* webkit2gtk
* spip
* zulucrypt

As well, the security support for the following packages has been
declared as limited:

* epiphany-browser
* libsoup2.4

For Debian 11 bullseye, this problem has been fixed in version
1:11+2026.06.30.

We recommend that you upgrade your debian-security-support packages.

For the detailed security status of debian-security-support please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/debian-security-support

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 4658-1] librabbitmq security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4658-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
June 30, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : librabbitmq
Version : 0.10.0-1+deb11u2 0.11.0-1+deb12u2
CVE ID : CVE-2026-44235 CVE-2026-44236

Two issues were discovered in librabbitmq, a C-language client
library used to communicate with RabbitMQ servers using the Advanced
Message Queuing Protocol (AMQP).

CVE-2026-44235

A size_t underflow in AMQP frame length computation could have
led to an out-of-bounds read.

CVE-2026-44236

A heap buffer overflow in AMQP login handshake via undersized
connection.tune.frame_max.

For Debian 11 bullseye, these problems have been fixed in version
0.10.0-1+deb11u2.

For Debian 12 bookworm, these problems have been fixed in version
0.11.0-1+deb12u2.

We recommend that you upgrade your librabbitmq packages.

For the detailed security status of librabbitmq please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/librabbitmq

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DSA 6374-1] nginx security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-6374-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 30, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : nginx
CVE ID : CVE-2026-42055 CVE-2026-48142
Debian Bug : 1140359 1140361

Multiple vulnerabilities were discoverd in Nginx, a high-performance web
and reverse proxy server, which could result in remote code execution,
denial of service or memory disclosure.

For the stable distribution (trixie), these problems have been fixed in
version 1.26.3-3+deb13u7.

We recommend that you upgrade your nginx packages.

For the detailed security status of nginx please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/nginx

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/