Debian has released several security updates for various packages, including openjdk-25, tomcat9, xrdp, alsa-lib, chromium, and multiple Tomcat versions (10, 11). These updates address vulnerabilities that could lead to code execution, denial of service, or information disclosure. The openjdk-25 update fixes several vulnerabilities that may result in incorrect certificate validation or other attacks, while the tomcat9 update corrects flaws that can lead to a bypass of security constraints or denial of service. Users are advised to upgrade their packages as soon as possible and follow the instructions provided by Debian for applying the updates to their system.

Debian GNU/Linux 10 (Bullseye) Extended LTS:
ELA-1636-1 xrdp security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4468-1] tomcat9 security update
[DLA 4469-1] alsa-lib security update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6122-1] chromium security update
[DSA 6120-1] tomcat10 security update

Debian GNU/Linux 13 (Trixie):
[DSA 6119-1] openjdk-25 security update
[DSA 6121-1] tomcat11 security update

[SECURITY] [DSA 6119-1] openjdk-25 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6119-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
February 05, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openjdk-25
CVE ID : CVE-2026-21925 CVE-2026-21932 CVE-2026-21933 CVE-2026-21945

Several vulnerabilities have been discovered in the OpenJDK Java runtime,
which may result in incorrect certificate validation, CRLF injection or
man-in-the-middle attacks.

For the stable distribution (trixie), these problems have been fixed in
version 25.0.2+10-1~deb13u2. This version of OpenJDK now also requires
jtreg8 for running the testsuite, which has been backported into trixie
as 8.1+1+ds1-1~deb13u1.

We recommend that you upgrade your openjdk-25 packages.

For the detailed security status of openjdk-25 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-25

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4468-1] tomcat9 security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4468-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
February 05, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : tomcat9
Version : 9.0.107-0+deb11u2
CVE ID : CVE-2025-55752 CVE-2025-55754 CVE-2025-61795

Several security vulnerabilities have been found in Tomcat 9, a Java web server
and servlet engine. The update corrects various flaws which can lead to a
bypass of security constraints or a denial of service.

In addition it fixes a regression that prevented tomcat's start script from
detecting installations of OpenJDK 17.

For Debian 11 bullseye, these problems have been fixed in version
9.0.107-0+deb11u2.

We recommend that you upgrade your tomcat9 packages.

For the detailed security status of tomcat9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tomcat9

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

ELA-1636-1 xrdp security update

Package : xrdp
Version : 0.9.9-1+deb10u5 (buster)

Related CVEs :
CVE-2025-68670

xrdp is an open source RDP server. It was found that xrdp contains an
unauthenticated stack-based buffer overflow vulnerability. The issue
stems from improper bounds checking when processing user domain
information during the connection sequence. If exploited, the
vulnerability could allow remote attackers to execute arbitrary code
on the target system.

ELA-1636-1 xrdp security update

[SECURITY] [DLA 4469-1] alsa-lib security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4469-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Paride Legovini
February 05, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : alsa-lib
Version : 1.2.4-1.1+deb11u1
CVE ID : CVE-2026-25068

A buffer overflow in the alsa-lib package can lead to a crash when a topology
file (.tplg) has an excessive num_channels value. The alsa-lib package contains
libraries and tools to interface with ALSA, the Advanced Linux Sound
Architecture.

For Debian 11 bullseye, this problem has been fixed in version
1.2.4-1.1+deb11u1.

We recommend that you upgrade your alsa-lib packages.

For the detailed security status of alsa-lib please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/alsa-lib

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6122-1] chromium security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6122-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
February 05, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium
CVE ID : CVE-2026-1861 CVE-2026-1862

Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.

For the oldstable distribution (bookworm), these problems have been fixed
in version 144.0.7559.109-2~deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 144.0.7559.109-2~deb13u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6121-1] tomcat11 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6121-1 security@debian.org
https://www.debian.org/security/ Markus Koschany
February 05, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : tomcat11
CVE ID : CVE-2025-46701 CVE-2025-48976 CVE-2025-48988 CVE-2025-48989
CVE-2025-49125 CVE-2025-52520 CVE-2025-53506 CVE-2025-55668
CVE-2025-55752 CVE-2025-55754 CVE-2025-61795
Debian Bug : 1106821 1108118 1108116 1111096 1108114 1109111 1109113 1111098

Several security vulnerabilities have been found in Tomcat 11, a Java web
server and servlet engine. This update improves the handling of HTTP/2
connections and corrects various flaws which can lead to uncontrolled resource
consumption and a denial of service.

For the stable distribution (trixie), these problems have been fixed in
version 11.0.15-1~deb13u1.

We recommend that you upgrade your tomcat11 packages.

For the detailed security status of tomcat11 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tomcat11

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6120-1] tomcat10 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6120-1 security@debian.org
https://www.debian.org/security/ Markus Koschany
February 05, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : tomcat10
CVE ID : CVE-2025-46701 CVE-2025-48976 CVE-2025-48988 CVE-2025-48989
CVE-2025-49125 CVE-2025-52520 CVE-2025-53506 CVE-2025-55668
CVE-2025-55752 CVE-2025-55754 CVE-2025-61795 CVE-2025-31650
CVE-2025-31651
Debian Bug : 1106820 1108119 1108117 1111097 1108115 1109112 1109114 1111099 1119294

Several security vulnerabilities have been found in Tomcat 10, a Java web
server and servlet engine. This update improves the handling of HTTP/2
connections and corrects various flaws which can lead to uncontrolled resource
consumption and a denial of service.

For the oldstable distribution (bookworm), these problems have been fixed
in version 10.1.52-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 10.1.52-1~deb13u1.

We recommend that you upgrade your tomcat10 packages.

For the detailed security status of tomcat10 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tomcat10

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/