[DLA 4470-1] phpunit security update
[DLA 4472-1] sudo security update
[DLA 4471-1] debian-security-support update
[SECURITY] [DLA 4470-1] phpunit security update
- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4470-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
February 06, 2026 https://wiki.debian.org/LTS
- -----------------------------------------------------------------------
Package : phpunit
Version : 9.5.2-1+deb11u1
CVE ID : CVE-2026-24765
PHPUnit is a testing framework for PHP. A vulnerability has been
discovered involving unsafe deserialization of code coverage data in
PHPT test execution. The vulnerability exists in the
`cleanupForCoverage()` method, which deserializes code coverage files
without validation, potentially allowing remote code execution if
malicious `.coverage` files are present prior to the execution of the
PHPT test.
For Debian 11 bullseye, this problem has been fixed in version
9.5.2-1+deb11u1.
We recommend that you upgrade your phpunit packages.
For the detailed security status of phpunit please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/phpunit
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4472-1] sudo security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4472-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
February 06, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : sudo
Version : 1.9.5p2-3+deb11u3
CVE ID : CVE-2023-28486 CVE-2023-28487
Sudo, a program designed to allow a sysadmin to give limited
root privileges to users and log root activity, was
affected by multiple vulnerabilities.
CVE-2023-28486
Sudo did not escape control characters in log messages.
CVE-2023-28487
Sudo did not escape control characters in sudoreplay output.
For Debian 11 bullseye, these problems have been fixed in version
1.9.5p2-3+deb11u3.
We recommend that you upgrade your sudo packages.
For the detailed security status of sudo please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/sudo
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4471-1] debian-security-support update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4471-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Santiago Ruano Rincón
February 06, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : debian-security-support
Version : 1:11+2026.02.06
Debian Bug : 1117607 1119290 1124248
debian-security-support, the Debian security support coverage checker,
has been updated in bullseye-security to mark the end of security
support of the following packages:
* python-setuptools
* node-node-forge
* guix
* dnsdist
* pdns
* keras
* freeimage
As well, the security support for the following packages has been
declared as limited:
* hdf5
* zabbix
For Debian 11 bullseye, this problem has been fixed in version
1:11+2026.02.06.
We recommend that you upgrade your debian-security-support packages.
For the detailed security status of debian-security-support please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/debian-security-support
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
