[DLA 4603-1] krb5 security update
ELA-1735-1 nghttp2 security update
[DLA 4604-1] roundcube security update
[DSA 6308-1] nagios4 security update
[DLA 4602-1] lemonldap-ng security update
[DLA 4605-1] python-flask-httpauth security update
[DSA 6307-1] kitty security update
[DSA 6306-1] linux security update
[DSA 6305-1] linux security update
[SECURITY] [DLA 4603-1] krb5 security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4603-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emmanuel Arias
May 28, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : krb5
Version : 1.18.3-6+deb11u8
CVE ID : CVE-2026-40355 CVE-2026-40356
Debian Bug : 1135317
Two vulnerabilities was found in krb5, the MIT implementation of Kerberos, that
an unauthenticated remote attacker can take advantage of these vulnerabilities
to cause a denial of service.
CVE-2026-40355
If an application calls gss_accept_sec_context() on a system with a NegoEx
mechanism registered in /etc/gss/mech, an unauthenticated remote attacker
can trigger a null pointer dereference, causing the process to terminate.
CVE-2026-40356
If an application calls gss_accept_sec_context() on a system with a NegoEx
mechanism registered in /etc/gss/mech, an unauthenticated remote attacker
can trigger a read overrun of up to 52 bytes, possibly causing the process
to terminate. Exfiltration of the bytes read does not appear possible.
For Debian 11 bullseye, these problems have been fixed in version
1.18.3-6+deb11u8.
We recommend that you upgrade your krb5 packages.
For the detailed security status of krb5 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/krb5
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1735-1 nghttp2 security update (by )
Package : nghttp2
Version : 1.18.1-1+deb9u5 (stretch), 1.36.0-2+deb10u4 (buster)
Related CVEs :
CVE-2026-27135
It was discovered that nghttp2, an implementation of the HTTP/2 protocol,
could be crashed via an assertion failure. A remote attacker could exploit
this to cause a DoS attack by sending a malformed frame immediately
after triggering the termination path.ELA-1735-1 nghttp2 security update (by )
[SECURITY] [DLA 4604-1] roundcube security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4604-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
May 28, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : roundcube
Version : 1.4.15+dfsg.1-1+deb11u9
CVE ID : CVE-2026-48842 CVE-2026-48843 CVE-2026-48844 CVE-2026-48845
CVE-2026-48846 CVE-2026-48847 CVE-2026-48848 CVE-2026-48849
Debian Bug : 1132838 1137507
Multiple vulnerabilities were discovered in Roundcube, a skinnable AJAX
based webmail solution for IMAP servers, which could result in
cross-site scripting, SQL injection, server-side request forgery,
information disclosure, code injection, or deletion of arbitrary files.
CVE-2026-48842
Pre-authentication SQL injection in `virtuser_query` plugin via
`preg_replace()` backslash escape bypass.
CVE-2026-48843
Server-Side Request Forgery (SSRF) vulnerability via stylesheet links
to a specific local address URLs. This issues stems from an
insufficient fix for CVE-2026-35540.
CVE-2026-48844
Code injection vulnerability via code evaluation support in LDAP's
`autovalues` option. Code evaluation support has been removed in
this update.
CVE-2026-48845
Local/private URL fetch bypass when remote resources were not
allowed. This allows attackers to bypass remote image blocking to
potentially bypass access control.
CVE-2026-48846
Bypass of remote image blocking via CSS `var()`. This allows
attackers to bypass remote image blocking to track email open action
or potentially bypass access control.
CVE-2026-48847
Pre-authentication arbitrary file delete via redis/memcache session
poisoning bypass.
CVE-2026-48848
CSS injection bypass in HTML sanitizer via SVG ``.
CVE-2026-48849
Stored XSS/HTML/CSS injection in subject field of the draft restore
dialog.
For Debian 11 bullseye, these problems have been fixed in version
1.4.15+dfsg.1-1+deb11u9.
We recommend that you upgrade your roundcube packages.
For the detailed security status of roundcube please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/roundcube
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 6308-1] nagios4 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6308-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 28, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : nagios4
CVE ID : not yet available
Debian Bug : 1136340
It was discovered that some of the CGI scripts of the Nagios monitoring
system were susceptible to cross-site request forgery.
For the oldstable distribution (bookworm), this problem has been fixed
in version 4.4.6-4+deb12u1.
For the stable distribution (trixie), this problem has been fixed in
version 4.4.6-4.1+deb13u1.
We recommend that you upgrade your nagios4 packages.
For the detailed security status of nagios4 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nagios4
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DLA 4602-1] lemonldap-ng security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4602-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Abhijith PA
May 28, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : lemonldap-ng
Version : 2.0.11+ds-4+deb11u8
CVE ID : CVE-2024-52948 CVE-2025-59518 TEMP-0000000-5C6A59(CVE
not yet available)
Multiple vulnerabilities have been discovered in lemonldap-ng, a
Web-SSO system.
CVE-2024-52948
CSRF on 2FA registration
CVE-2025-59518
It does not Localize _ during rule evaluation. Thus, an
administrator who can edit a rule evaluated by the Safe jail can
execute commands on the server.
TEMP-0000000-5C6A59 (CVE not yet available)
session id exposed in portal AJAX responses.
For Debian 11 bullseye, these problems have been fixed in version
2.0.11+ds-4+deb11u8.
We recommend that you upgrade your lemonldap-ng packages.
For the detailed security status of lemonldap-ng please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/lemonldap-ng
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4605-1] python-flask-httpauth security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4605-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emmanuel Arias
May 28, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : python-flask-httpauth
Version : 3.2.4-3.1+deb11u1
CVE ID : CVE-2026-34531
Debian Bug : 1132581
A vulnerability was found in python-flask-httpauth, a Flask extension that
simplifies the use of HTTP authentication with Flask routes, that in a situation
where the client makes a request to a token protected resource without passing a
token, or passing an empty token, python-flask-httpauth would invoke the
application's token verification callback function with the token argument set
to an empty string. If the application had any users in its database with an
empty string set as their token, then it could potentially authenticate the
client request against any of those users.
For Debian 11 bullseye, this problem has been fixed in version
3.2.4-3.1+deb11u1.
We recommend that you upgrade your python-flask-httpauth packages.
For the detailed security status of python-flask-httpauth please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-flask-httpauth
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 6307-1] kitty security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6307-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 28, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : kitty
CVE ID : CVE-2026-33633 CVE-2026-33642
Debian Bug : 1137210
Two vulnerabilities were discovered in kitty, a GPU based terminal
emulator, which may result in the execution of arbitrary code or denial
of service.
For the stable distribution (trixie), these problems have been fixed in
version 0.41.1-2+deb13u1.
We recommend that you upgrade your kitty packages.
For the detailed security status of kitty please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/kitty
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 6306-1] linux security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6306-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 28, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : linux
CVE ID : CVE-2026-43503 CVE-2026-46174 CVE-2026-46300
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
For the oldstable distribution (bookworm), these problems have been
fixed in version 6.1.174-1.
We recommend that you upgrade your linux packages.
For the detailed security status of linux please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/linux
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 6305-1] linux security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6305-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 28, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : linux
CVE ID : CVE-2026-43494
Two vulnerabilities have been discovered in the Linux kernel that may
lead to a local privilege escalation.
For the stable distribution (trixie), these problems have been fixed in
version 6.12.90-2.
We recommend that you upgrade your linux packages.
For the detailed security status of linux please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/linux
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
