NTFS 3G, Xdg-Dbus-Proxy, ImageMagick, and more updates for Debian

Debian 10873 Published by

Multiple Debian and Freexian Long Term Support advisories were released to address critical security flaws across several widely used software packages. The updates target vulnerabilities in opam, mupdf, xdg-dbus-proxy, ntfs-3g, simpleeval, ngtcp2, python-geopandas, and imagemagick that could allow attackers to bypass restrictions or execute arbitrary code. These issues include heap buffer overflows, directory traversal risks, sandbox escapes, and potential SQL injection flaws that threaten system stability and data privacy.

Debian GNU/Linux 9 (Stretch) and 10 (Buster) ELTS:
ELA-1689-1 ntfs-3g security update

Debian GNU/Linux 10 (Buster) ELTS:
ELA-1688-1 xdg-dbus-proxy security update
ELA-1690-1 imagemagick security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4541-1] opam security update
[DLA 4540-1] mupdf security update
[DLA 4542-1] xdg-dbus-proxy security update
[DLA 4543-1] simpleeval security update
[DLA 4523-1] python-geopandas security update
[DLA 4544-1] ntfs-3g security update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6221-1] ntfs-3g security update
[DSA 6222-1] ngtcp2 security update



[SECURITY] [DLA 4541-1] opam security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4541-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
April 21, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : opam
Version : 2.0.8-1+deb11u1
CVE ID : CVE-2026-41082

Andrew Nesbitt discovered that .install file directives were
insufficiently restricted in OPAM, a package manager for OCaml. This
could result in directory traversal out of the package area.

For Debian 11 bullseye, this problem has been fixed in version
2.0.8-1+deb11u1.

We recommend that you upgrade your opam packages.

For the detailed security status of opam please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/opam

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 4540-1] mupdf security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4540-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
April 21, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : mupdf
Version : 1.17.0+ds1-2+deb11u2
CVE ID : CVE-2026-3308
Debian Bug : 1133189

Yarden Porat found a heap-based buffer overwrite in MuPDF, a lightweight
PDF viewer, which may result in denial of service or the execution of
arbitrary code if malformed documents are opened.

For Debian 11 bullseye, this problem has been fixed in version
1.17.0+ds1-2+deb11u2.

We recommend that you upgrade your mupdf packages.

For the detailed security status of mupdf please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mupdf

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1688-1 xdg-dbus-proxy security update


Package : xdg-dbus-proxy

Version : 0.1.1-1+deb10u1 (buster)

Related CVEs :
CVE-2026-34080

It was discovered that incorrect parsing of policy rules in the
xdg-dbus-proxy (a filtering proxy for D-Bus connections) allowed the
bypass of eavesdrop restrictions, which could result in information
disclosure.


ELA-1688-1 xdg-dbus-proxy security update



[SECURITY] [DLA 4542-1] xdg-dbus-proxy security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4542-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
April 21, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : xdg-dbus-proxy
Version : 0.1.2-2+deb11u1
CVE ID : CVE-2026-34080
Debian Bug : 1132939

It was discovered that incorrect parsing of policy rules in the
xdg-dbus-proxy (a filtering proxy for D-Bus connections) allowed the
bypass of eavesdrop restrictions, which could result in information
disclosure.

For Debian 11 bullseye, this problem has been fixed in version
0.1.2-2+deb11u1.

We recommend that you upgrade your xdg-dbus-proxy packages.

For the detailed security status of xdg-dbus-proxy please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/xdg-dbus-proxy

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DSA 6221-1] ntfs-3g security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-6221-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
April 21, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ntfs-3g
CVE ID : CVE-2026-40706

Andrea Bocchetti discovered a heap-based buffer overflow in NTFS-3G, a
read-write NTFS driver for FUSE. A local user can take advantage of this
flaw for local root privilege escalation.

For the oldstable distribution (bookworm), this problem has been fixed
in version 1:2022.10.3-1+deb12u3.

For the stable distribution (trixie), this problem has been fixed in
version 1:2022.10.3-5+deb13u1.

We recommend that you upgrade your ntfs-3g packages.

For the detailed security status of ntfs-3g please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/ntfs-3g

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[SECURITY] [DLA 4543-1] simpleeval security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-4543-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Santiago Ruano Rincón
April 21, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : simpleeval
Version : 0.9.10-1+deb11u1
CVE ID : CVE-2026-32640
Debian Bug : 1130875

Byambadalai Sumiya discovered that SimpleEval, a library for adding
evaluatable expressions into Python projects, didn't fully restrict some
module references, resulting in sandbox bypass.

For Debian 11 bullseye, this problem has been fixed in version
0.9.10-1+deb11u1.

We recommend that you upgrade your simpleeval packages.

For the detailed security status of simpleeval please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/simpleeval

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DSA 6222-1] ngtcp2 security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-6222-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 21, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ngtcp2
CVE ID : CVE-2026-40170

Zou Dikai discovered a buffer overflow in ngtcp2, a QUIC protocol library.

For the oldstable distribution (bookworm), this problem has been fixed
in version 0.12.1+dfsg-1+deb12u1.

For the stable distribution (trixie), this problem has been fixed in
version 1.11.0-1+deb13u1.

We recommend that you upgrade your ngtcp2 packages.

For the detailed security status of ngtcp2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ngtcp2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[SECURITY] [DLA 4523-1] python-geopandas security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4523-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
April 21, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : python-geopandas
Version : 0.8.2-1+deb11u1
CVE ID : CVE-2025-69662

It was discovered that there was a potential SQL vulnerability in
python-geopandas, a tool for working with geographic/geospatial data
in the Pandas data analysis suite.

For Debian 11 bullseye, this problem has been fixed in version
0.8.2-1+deb11u1.

We recommend that you upgrade your python-geopandas packages.

For the detailed security status of python-geopandas please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-geopandas

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 4544-1] ntfs-3g security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4544-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
April 21, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : ntfs-3g
Version : 1:2017.3.23AR.3-4+deb11u5
CVE ID : CVE-2026-40706

Andrea Bocchetti discovered a heap-based buffer overflow in NTFS-3G, a
read-write NTFS driver for FUSE. A local user can take advantage of this
flaw for local root privilege escalation.

For Debian 11 bullseye, this problem has been fixed in version
1:2017.3.23AR.3-4+deb11u5.

We recommend that you upgrade your ntfs-3g packages.

For the detailed security status of ntfs-3g please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ntfs-3g

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1690-1 imagemagick security update


Package : imagemagick

Version : 8:6.9.10.23+dfsg-2.1+deb10u16 (buster)

Related CVEs :
CVE-2026-25971
CVE-2026-25985
CVE-2026-26284
CVE-2026-26983
CVE-2026-28494
CVE-2026-28686
CVE-2026-28687
CVE-2026-28688
CVE-2026-28689
CVE-2026-28690
CVE-2026-28691
CVE-2026-28692
CVE-2026-28693
CVE-2026-30883
CVE-2026-30936
CVE-2026-30937
CVE-2026-31853
CVE-2026-32259
CVE-2026-32636
CVE-2026-33535
CVE-2026-33536

Multiple security vulnerabilities were discovered in imagemagick,
a software suite used for editing and manipulating digital images, which
could lead to symlink races, information leaks, denial of service
and potentially arbitrary code execution.
Note that SVG and MVG plugins were updated from imagemagick 6.9.13-41 in order
to fix some vulnerabilities. This may change some conversion results like
bounding box or borders due to small rounding changes.


ELA-1690-1 imagemagick security update



ELA-1689-1 ntfs-3g security update


Package : ntfs-3g

Version : 1:2016.2.22AR.1+dfsg-1+deb9u6 (stretch), 1:2017.3.23AR.3-4+deb11u4~deb10u2 (buster)

Related CVEs :
CVE-2026-40706

Andrea Bocchetti discovered a heap-based buffer overflow in NTFS-3G, a
read-write NTFS driver for FUSE. A local user can take advantage of this
flaw for local root privilege escalation.


ELA-1689-1 ntfs-3g security update


Kernel updates for AlmaLinux

Perl-XML-Parser, Squid, Python, and more updates for RHEL

Windows

Linux

macOS

Community

  • Lexonight
    Hey everyone,Wanted to share a project I've been b ...
  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...