Debian and Freexian issued a set of security updates for numerous Linux packages across multiple distributions. The updates address critical flaws in Firefox ESR, Flatpak, and strongSwan that could let attackers bypass sandbox protections or run malicious code with elevated privileges. Systems running older release branches also received necessary fixes for PackageKit race conditions and network utilities like inetutils that previously allowed information leaks and service disruptions. You should install these updates as soon as possible to prevent potential exploitation of the disclosed vulnerabilities.

Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1691-1 libapache2-mod-auth-openidc security update

Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1692-1 inetutils security update
ELA-1693-1 packagekit security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4545-1] packagekit security update

Debian GNU/Linux 12 (Bookworm):
[DSA 6224-1] xdg-dbus-proxy security update
[DSA 6223-1] flatpak security update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6225-1] firefox-esr security update
[DSA 6226-1] packagekit security update
[DSA 6227-1] strongswan security update

Debian GNU/Linux 13 (Trixie):
[DSA 6228-1] cpp-httplib security update

[SECURITY] [DSA 6224-1] xdg-dbus-proxy security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6224-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 22, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : xdg-dbus-proxy
CVE ID : CVE-2026-34080

It was discovered that incorrect parsing of policy rules in the
xdg-dbus-proxy (a filtering proxy for D-Bus connections) allowed the
bypass of eavesdrop restrictions, which could result in information
disclosure.

For the oldstable distribution (bookworm), this problem has been fixed
in version 0.1.4-3+deb12u1.

We recommend that you upgrade your xdg-dbus-proxy packages.

For the detailed security status of xdg-dbus-proxy please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/xdg-dbus-proxy

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6223-1] flatpak security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6223-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 22, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : flatpak
CVE ID : CVE-2026-34078 CVE-2026-34079

Multiple security vulnerabilities were discovered in Flatpak, an
application deployment framework for desktop apps, which could allow a
Flatpak app to delete arbitrary hosts on the host or break out of the
sandbox resulting in code execution in the host context.

For the oldstable distribution (bookworm), these problems have been fixed
in version 1.14.10-1~deb12u2.

We recommend that you upgrade your flatpak packages.

For the detailed security status of flatpak please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/flatpak

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

ELA-1691-1 libapache2-mod-auth-openidc security update

Package : libapache2-mod-auth-openidc
Version : 2.1.6-1+deb9u2 (stretch)

Related CVEs :
CVE-2021-32786
CVE-2021-32792
CVE-2021-39191
CVE-2022-23527
CVE-2023-28625
CVE-2024-24814
CVE-2025-3891

Several vulnerabilities were found in mod_auth_openidc, an OpenID
Certified authentication and authorization module for the Apache 2.x
HTTP server that implements the OpenID Connect Relying Party
functionality.
An unauthenticated attacker may cause Denial-of-Service (DoS) through
crafted HTTP requests, facilitate a fishing campaign leveraging open
directions by sending crafted links to a victim, or inject JavaScript
code (XSS).

CVE-2021-32786
oidc_validate_redirect_url() does not parse URLs the same way as
most browsers do. As a result, this function can be bypassed and
leads to an Open Redirect vulnerability in the logout
functionality.

CVE-2021-32792
XSS vulnerability in when using OIDCPreservePost On.

CVE-2021-39191
The 3rd-party init SSO functionality of mod_auth_openidc was
reported to be vulnerable to an open redirect attack by supplying
a crafted URL in the target_link_uri parameter.

CVE-2022-23527
When providing a logout parameter to the redirect URI, the
existing code in oidc_validate_redirect_url() does not properly
check for URLs that start with /\t, leading to an open redirect.

CVE-2023-28625
When OIDCStripCookies is set and a crafted cookie supplied, a
NULL pointer dereference would occur, resulting in a segmentation
fault. This could be used in a Denial-of-Service attack and thus
presents an availability risk.

CVE-2024-24814
Input validation on mod_auth_openidc_session_chunks cookie value
makes the server vulnerable to a denial of service (DoS) attack.

CVE-2025-3891:
Denial of service when sending an empty Content-Type header when
the OIDCPreservePost directive is enabled.

ELA-1691-1 libapache2-mod-auth-openidc security update

[SECURITY] [DSA 6225-1] firefox-esr security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6225-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 22, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : firefox-esr
CVE ID : CVE-2026-6746 CVE-2026-6747 CVE-2026-6748 CVE-2026-6749
CVE-2026-6750 CVE-2026-6751 CVE-2026-6752 CVE-2026-6753
CVE-2026-6754 CVE-2026-6757 CVE-2026-6761 CVE-2026-6762
CVE-2026-6763 CVE-2026-6764 CVE-2026-6765 CVE-2026-6766
CVE-2026-6767 CVE-2026-6769 CVE-2026-6770 CVE-2026-6771
CVE-2026-6772 CVE-2026-6776 CVE-2026-6785 CVE-2026-6786

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code, spoofing, information disclosure or privilege escalation.

For the oldstable distribution (bookworm), these problems have been fixed
in version 140.10.0esr-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 140.10.0esr-1~deb13u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

ELA-1692-1 inetutils security update

Package : inetutils

Version : 2:1.9.4-2+deb9u5 (stretch), 2:1.9.4-7+deb10u5 (buster)

Related CVEs :
CVE-2026-24061
CVE-2026-28372
CVE-2026-32746
CVE-2026-32772

Multiple vulnerabilities where found in telnetd (server) and telnet (client)
found in the GNU inetutils suite. The vulnerabilities includes reading
arbitrary environment variables from the connecting client (information disclosure),
out of bounds write in the server (potential remote code execution) and
potentially abusing the service credentials support in util-linux login 2.40
which in not part of Debian buster or stretch, but could potentially be a
problem if the local system administrator would decide to update to a newer
version on their own accord.

ELA-1692-1 inetutils security update

[SECURITY] [DSA 6226-1] packagekit security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6226-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 22, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : packagekit
CVE ID : not yet available

Maik Schaefer discovered that a TOCTOU race condition in PackageKit (a
package management service over a DBus interface) could result in local
privilege escalation.

For the oldstable distribution (bookworm), this problem has been fixed
in version 1.2.6-5+deb12u1.

For the stable distribution (trixie), this problem has been fixed in
version 1.3.1-1+deb13u1.

We recommend that you upgrade your packagekit packages.

For the detailed security status of packagekit please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/packagekit

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6228-1] cpp-httplib security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6228-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 22, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : cpp-httplib
CVE ID : CVE-2025-46728 CVE-2025-53629

Multiple security issues were discovered in cpp-httplib, a C++ cross
platform HTTP/HTTPS library, which could result in denial of service.

For the stable distribution (trixie), these problems have been fixed in
version 0.18.7-1+deb13u1.

We recommend that you upgrade your cpp-httplib packages.

For the detailed security status of cpp-httplib please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/cpp-httplib

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6227-1] strongswan security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6227-1 security@debian.org
https://www.debian.org/security/ Yves-Alexis Perez
April 22, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : strongswan
CVE ID : CVE-2026-35328 CVE-2026-35329 CVE-2026-35330 CVE-2026-35331
CVE-2026-35332 CVE-2026-35333 CVE-2026-35334

Multiple vulnerabilities were fixed in strongSwan, an IKE/IPsec suite.

CVE-2026-35328

A vulnerability in libtls related to the processing of the
supported_versions extension in TLS that can result in an infinite
loop.

CVE-2026-35329

Vulnerabilities in libstrongswan and the pkcs7 plugin related to the
processing of encrypted PKCS#7 containers that can result in a crash.

CVE-2026-35330

A vulnerability in libsimaka related to the processing of certain
EAP-SIM/AKA attributes that can result in an infinite loop or a
heap-based buffer overflow and potentially remote code execution.

CVE-2026-35331

A vulnerability in the constraints plugin related to the processing of
X.509 name constraints that can allow authentication with certificates
that violate the constraints.

CVE-2026-35332

A vulnerability in libtls related to the processing of ECDH public
values in TLS < 1.3 that can result in a crash.

CVE-2026-35333

A vulnerability in libradius related to the processing of RADIUS
attributes that can result in an infinite loop or an out-of-bounds
read that may cause a crash.

CVE-2026-35334

A vulnerability in the gmp plugin related to RSA decryption that can
result in a crash.

For the oldstable distribution (bookworm), these problems have been fixed
in version 5.9.8-5+deb12u4.

For the stable distribution (trixie), these problems have been fixed in
version 6.0.1-6+deb13u5.

We recommend that you upgrade your strongswan packages.

For the detailed security status of strongswan please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/strongswan

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4545-1] packagekit security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4545-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
April 22, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : packagekit
Version : 1.2.2-2+deb11u1
CVE ID : not yet available

Maik Schaefer discovered that a TOCTOU race condition in PackageKit (a
package management service over a DBus interface) could result in local
privilege escalation.

For Debian 11 bullseye, this problem has been fixed in version
1.2.2-2+deb11u1.

We recommend that you upgrade your packagekit packages.

For the detailed security status of packagekit please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/packagekit

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

ELA-1693-1 packagekit security update

Package : packagekit

Version : 1.1.5-2+deb9u3 (stretch), 1.1.12-5+deb10u1 (buster)

Maik Schaefer discovered that a TOCTOU race condition in PackageKit (a
package management service over a DBus interface) could result in local
privilege escalation.

ELA-1693-1 packagekit security update