Debian LTS released two security advisories addressing vulnerabilities in OpenSSH and Thunderbird software packages. An OpenSSH flaw discovered by Jeremy Brown permits remote denial of service or arbitrary code execution when GSSAPI Key Exchange is enabled. Separate security issues found within Thunderbird carry similar risks that allow attackers to run code if left unpatched. Debian 11 bullseye users are strongly advised to upgrade their packages immediately to resolve these critical security issues.

[DLA 4535-1] openssh security update
[DLA 4534-1] thunderbird security update

[SECURITY] [DLA 4535-1] openssh security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4535-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
April 16, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : openssh
Version : 1:8.4p1-5+deb11u6
CVE ID : CVE-2026-3497
Debian Bug : 1130595

Jeremy Brown discovered a flaw in the GSSAPI Key Exchange patch applied
in Debian to OpenSSH, an implementation of the SSH protocol suite,
affecting non-default configurations with the GSSAPIKeyExchange setting
enabled. A remote attacker can take advantage of this flaw to cause a
denial of service, or potentially the execution of arbitrary code.

For Debian 11 bullseye, this problem has been fixed in version
1:8.4p1-5+deb11u6.

We recommend that you upgrade your openssh packages.

For the detailed security status of openssh please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openssh

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4534-1] thunderbird security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4534-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
April 16, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : thunderbird
Version : 1:140.9.1esr-1~deb11u1
CVE ID : CVE-2026-5731 CVE-2026-5732 CVE-2026-5734

Multiple security issues were discovered in Thunderbird, which could
result in the execution of arbitrary code.

For Debian 11 bullseye, these problems have been fixed in version
1:140.9.1esr-1~deb11u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS