PHP, ImageMagick, Shapelib, and more updates for Debian

Debian 10753 Published by

The Debian project has issued multiple security advisories for Debian GNU/Linux 11 (Bullseye) LTS, including updates for php7.4, imagemagick, shapelib, taglib, zvbi, apache2, and inetutils. Each advisory reports on specific vulnerabilities found in the respective packages, including issues related to memory overflow, null pointer dereference, denial of service, and authentication bypass.

[DLA 4447-1] php7.4 security update
[DLA 4448-1] imagemagick security update
[DLA 4451-1] shapelib security update
[DLA 4450-1] taglib security update
[DLA 4449-1] zvbi security update
[DLA 4452-1] apache2 security update
[DLA 4453-1] inetutils security update




[SECURITY] [DLA 4447-1] php7.4 security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-4447-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
January 24, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : php7.4
Version : 7.4.33-1+deb11u10
CVE ID : CVE-2025-14178
Debian Bug : 1123574

Multiple security issues were found in PHP, a widely-used open source
general purpose scripting language, which could result in server side
request forgery or denial of service.

CVE-2025-14178

Heap buffer overflow in array_merge().

GHSA-www2-q4fc-65wf

dns_get_record() and other DNS functions don't have any null contain
check, which may lead to SSRF or unexpected behavior. While this
has a (low) security impact, no CVE ID was assigned for this
vulnerability yet.

For Debian 11 bullseye, these problems have been fixed in version
7.4.33-1+deb11u10.

We recommend that you upgrade your php7.4 packages.

For the detailed security status of php7.4 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php7.4

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 4448-1] imagemagick security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4448-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
January 24, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : imagemagick
Version : 8:6.9.11.60+dfsg-1.3+deb11u9
CVE ID : CVE-2026-23874 CVE-2026-23876 CVE-2026-23952
Debian Bug : 1126075 1126076 1126077

imagemagick, a image processing suite, was affected by multiple vulnerabilities

CVE-2026-23874

A stack overflow via infinite recursion was found
in MSL (Magick Scripting Language) `` command when writing to
MSL format

CVE-2026-23876

A heap buffer overflow vulnerability was found in the XBM image decoder
(ReadXBMImage) allows an attacker to write controlled data past the
allocated heap buffer when processing a maliciously crafted image file.
Any operation that reads or identifies an image can trigger the overflow,
making it exploitable via common image upload and processing pipelines

CVE-2026-23952

A NULL pointer dereference vulnerability was found in the MSL
(Magick Scripting Language) parser when processing tags before
images are loaded. This can lead to DoS attack (Deny of Service)

For Debian 11 bullseye, these problems have been fixed in version
8:6.9.11.60+dfsg-1.3+deb11u9.

We recommend that you upgrade your imagemagick packages.

For the detailed security status of imagemagick please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/imagemagick

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 4451-1] shapelib security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4451-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
January 24, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : shapelib
Version : 1.5.0-2+deb11u1
CVE ID : CVE-2022-0699

An issue has been found in shapelib, a library for reading and writing
ESRI Shapefiles.
The issue is related to a double free, which results in a crash and a
denial of service.

For Debian 11 bullseye, this problem has been fixed in version
1.5.0-2+deb11u1.

We recommend that you upgrade your shapelib packages.

For the detailed security status of shapelib please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/shapelib

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 4450-1] taglib security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4450-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
January 24, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : taglib
Version : 1.11.1+dfsg.1-3+deb11u1
CVE ID : CVE-2023-47466

An issues has been found in taglib, an audio meta-data library.
The issue is related to a segmentation violation and a resulting
application crash due to processing a crafted WAV file
in which an id3 chunk is the only valid chunk.

For Debian 11 bullseye, this problem has been fixed in version
1.11.1+dfsg.1-3+deb11u1.

We recommend that you upgrade your taglib packages.

For the detailed security status of taglib please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/taglib

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 4449-1] zvbi security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4449-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
January 24, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : zvbi
Version : 0.2.35-18+deb11u1
CVE ID : CVE-2025-2173 CVE-2025-2174 CVE-2025-2175 CVE-2025-2176
CVE-2025-2177

Several issues have been found in zvbi, a Vertical Blanking Interval
decoder.
CVE-2025-2173 is related to an uninitialized pointer in src/conv.c::
vbi_strndup_iconv_ucs2()
The other issues are related to integer overflows in several functions
distributed all over the code.

For Debian 11 bullseye, these problems have been fixed in version
0.2.35-18+deb11u1.

We recommend that you upgrade your zvbi packages.

For the detailed security status of zvbi please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/zvbi

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 4452-1] apache2 security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4452-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
January 24, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : apache2
Version : 2.4.66-1~deb11u1
CVE ID : CVE-2025-55753 CVE-2025-58098 CVE-2025-59775 CVE-2025-65082
CVE-2025-66200
Debian Bug : 1121926

Multiple vulnerabilities were fixed for apache httpd a popular webserver.

CVE-2025-55753

An integer overflow was found in the case of failed ACME certificate
renewal leads, after a number of failures (~30 days in default configurations),
to the backoff timer becoming 0. Attempts to renew the certificate
then are repeated without delays until it succeeds

CVE-2025-58098

Apache with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi)
passes the shell-escaped query string to #exec cmd="..." directives.

CVE-2025-59775

A Server-Side Request Forgery (SSRF) vulnerability was found
in Apache HTTP Server on Windows with AllowEncodedSlashes On
and MergeSlashes Off allows to potentially leak NTLM hashes to
a malicious server via SSRF

CVE-2025-65082

An Improper Neutralization of Escape, Meta, or Control Sequences
vulnerability was found in Apache HTTP Server through environment
variables set via the Apache configuration unexpectedly superseding
variables calculated by the server for CGI programs.

CVE-2025-66200

An mod_userdir+suexec bypass, via AllowOverride FileInfo
vulnerability was found in Apache HTTP Server.
Users with access to use the RequestHeader directive
in htaccess can cause some CGI scripts to run under an unexpected userid.

For Debian 11 bullseye, these problems have been fixed in version
2.4.66-1~deb11u1.

We recommend that you upgrade your apache2 packages.

For the detailed security status of apache2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/apache2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 4453-1] inetutils security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-4453-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andreas Henriksson
January 25, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : inetutils
Version : 2:2.0-1+deb11u3
CVE ID : CVE-2026-24061
Debian Bug : 1126047

Kyu Neushwaistein aka Carlos Cortes Alvarez found that inetutils,
a collection of common network programs, was vulnerable to an authentication
bypass problem in telnetd, which could lead to remote root shell access (if
telnetd is enabled and exposed).

As described also in the GNU InetUtils security advisory, it is not
recommended to run telnetd server at all. At a minimum, restrict network
access to the telnet port to trusted clients only. There is after all no
encryption built into the telnet protocol, so authentication details would
be sent in plain text over the network (which thus needs to be trusted).

For more details see the GNU InetUtils Security Advisory:
https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html

For Debian 11 bullseye, this problem has been fixed in version
2:2.0-1+deb11u3.

We recommend that you upgrade your inetutils packages.

For the detailed security status of inetutils please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/inetutils

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


openCryptoki update for SUSE

Bottles 61.1 released

Windows

Linux

macOS

Community

  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...
  • StephanX
    Hi friends, i am new in the Linux universe but i try to ...