Debian administrators should pay close attention to the security advisories, which cover several important software packages. These updates address serious vulnerabilities found across chromium, nss, postgresql-13, luanti, opam, gimp, mapserver, and tiff that could easily let attackers run malicious code or crash entire systems. Each notice lists the exact patched versions needed for oldstable, stable, and extended support releases so maintainers can quickly roll out the fixes without guessing.

Debian GNU/Linux 9 (Stretch) and 10 (Buster) ELTS:
ELA-1684-1 nss security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4524-2] postgresql-13 regression update
[DLA 4537-1] mapserver security update
[DLA 4536-1] tiff security update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6214-1] chromium security update
[DSA 6216-1] opam security update
[DSA 6215-1] gimp security update

Debian GNU/Linux 13 (Trixie):
[DSA 6217-1] luanti security update

[SECURITY] [DSA 6214-1] chromium security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6214-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
April 17, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium
CVE ID : CVE-2026-6296 CVE-2026-6297 CVE-2026-6298 CVE-2026-6299
CVE-2026-6300 CVE-2026-6301 CVE-2026-6302 CVE-2026-6303
CVE-2026-6304 CVE-2026-6305 CVE-2026-6306 CVE-2026-6307
CVE-2026-6308 CVE-2026-6309 CVE-2026-6310 CVE-2026-6311
CVE-2026-6312 CVE-2026-6313 CVE-2026-6314 CVE-2026-6315
CVE-2026-6316 CVE-2026-6317 CVE-2026-6318 CVE-2026-6319
CVE-2026-6358 CVE-2026-6359 CVE-2026-6360 CVE-2026-6361
CVE-2026-6362 CVE-2026-6363 CVE-2026-6364

Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.

For the oldstable distribution (bookworm), these problems have been fixed
in version 147.0.7727.101-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 147.0.7727.101-1~deb13u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

ELA-1684-1 nss security update

Package : nss
Version : 3.26.2-1.1+deb9u9 (stretch), 2:3.42.1-1+deb10u10 (buster)

Related CVEs :
CVE-2026-2781

Clay Ver Valen discovered an integer overflow in the AES-GCM
implementation of the Mozilla Network Security Service libraries.

ELA-1684-1 nss security update

[SECURITY] [DLA 4524-2] postgresql-13 regression update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4524-2 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Jochen Sprickerhof
April 17, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : postgresql-13
Version : 13.23-0+deb11u3

The fix for CVE-2026-2006 introduced a regression in SUBSTRING() for toasted
multibyte characters, as discussed in the upstream bug:

https://www.postgresql.org/message-id/19406-9867fddddd724fca@postgresql.org

Also a number of minor upstream fixes for the patches added in 13.23-0+deb11u2
where added:
* pg_mblen_range, pg_mblen_with_len: Valgrind after encoding ereport.
* Suppress new "may be used uninitialized" warning.
* Fix test_valid_server_encoding helper function.
* pgcrypto: Tweak error message for incorrect session key length.

For Debian 11 bullseye, this problem has been fixed in version
13.23-0+deb11u3.

We recommend that you upgrade your postgresql-13 packages.

For the detailed security status of postgresql-13 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/postgresql-13

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6217-1] luanti security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6217-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 17, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : luanti
CVE ID : CVE-2026-40959 CVE-2026-40960

Two security issues were discovered in Luanti, a multiplayer
infinite-world block sandbox game, which could result in incomplete
restrictions for installed mods or sandbox escape.

For the stable distribution (trixie), these problems have been fixed in
version 5.10.0+dfsg-5+deb13u1.

We recommend that you upgrade your luanti packages.

For the detailed security status of luanti please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/luanti

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6216-1] opam security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6216-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 17, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : opam
CVE ID : CVE-2026-41082

Andrew Nesbitt discovered that .install file directives were
insufficiently restricted in OPAM, a package manager for OCaml. This
could result in directory traversal out of the package area.

For the oldstable distribution (bookworm), this problem has been fixed
in version 2.1.2-1+deb12u1.

For the stable distribution (trixie), this problem has been fixed in
version 2.3.0-1+deb13u1.

We recommend that you upgrade your opam packages.

For the detailed security status of opam please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/opam

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6215-1] gimp security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6215-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 17, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : gimp
CVE ID : CVE-2026-4150 CVE-2026-4151 CVE-2026-4152 CVE-2026-4153

Several vulnerabilities were discovered in GIMP, the GNU Image
Manipulation Program, which could result in denial of service or
potentially the execution of arbitrary code if malformed PSP, JPEG 2000,
PSD or ANI files are opened.

For the oldstable distribution (bookworm), these problems have been fixed
in version 2.10.34-1+deb12u10.

For the stable distribution (trixie), these problems have been fixed in
version 3.0.4-3+deb13u8.

We recommend that you upgrade your gimp packages.

For the detailed security status of gimp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gimp

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4537-1] mapserver security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4537-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
April 17, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : mapserver
Version : 7.6.2-1+deb11u2
CVE ID : CVE-2026-33721

A heap-buffer-overflow was found in mapserver, a CGI-based framework for
Internet map services, which could lead to Denial of Service via crafted
SLD (Styled Layer Descriptor) sent by a remote unauthenticated attacker.

For Debian 11 bullseye, this problem has been fixed in version
7.6.2-1+deb11u2.

We recommend that you upgrade your mapserver packages.

For the detailed security status of mapserver please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mapserver

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4536-1] tiff security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4536-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
April 17, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : tiff
Version : 4.2.0-1+deb11u8
CVE ID : CVE-2026-4775

Quang Luong discovered a heap overflow in the libtiff library, which may
result in denial of service or the execution of arbitrary code if
malformed image files are processed.

For Debian 11 bullseye, this problem has been fixed in version
4.2.0-1+deb11u8.

We recommend that you upgrade your tiff packages.

For the detailed security status of tiff please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tiff

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS