Debian and Freexian have issued urgent security advisories addressing severe vulnerabilities across several widely used software packages including python-aiohttp, ImageMagick, Node.js, p7zip, GStreamer plugins, and the Symfony framework. These updates patch numerous common vulnerability exposures that could allow attackers to trigger remote code execution, exhaust system memory, bypass authentication controls, or crash services through malformed inputs. Administrators managing legacy Debian distributions should prioritize applying these patches immediately since many of the flaws involve critical path traversal issues and unhandled network frame errors. Regular maintenance cycles remain essential for keeping production environments secure against rapidly evolving exploit techniques.

[DLA 4613-1] python-aiohttp security update
ELA-1741-1 imagemagick security update
ELA-1734-1 nodejs security update
ELA-1744-1 p7zip-rar security update
ELA-1743-1 p7zip-rar update
ELA-1742-1 p7zip security update
[DSA 6318-1] gst-plugins-good1.0 security update
[DSA 6317-1] symfony security update
ELA-1745-1 imagemagick security update

[SECURITY] [DLA 4613-1] python-aiohttp security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4613-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
June 01, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : python-aiohttp
Version : 3.7.4-1+deb11u2
CVE ID : CVE-2025-53643 CVE-2025-69224 CVE-2025-69225 CVE-2025-69226
CVE-2025-69227 CVE-2025-69228 CVE-2025-69229 CVE-2026-22815
CVE-2026-34513 CVE-2026-34514 CVE-2026-34516 CVE-2026-34517
CVE-2026-34518 CVE-2026-34519 CVE-2026-34520 CVE-2026-34525

Several vulnerabilities have been found in aiohttp, an asynchronous
HTTP client/server framework for asyncio and Python.

CVE-2025-53643

Request smuggling vulnerability due to not parsing trailer sections
of an HTTP request.

CVE-2025-69224

Possible request smuggling attack in the HTTP parser with the
presence of non-ASCII characters.

CVE-2025-69225

Parser logic which allows non-ASCII decimals to be present in the
Range header.

CVE-2025-69226

Path traversal vulnerability that allows an attacker to ascertain
the existence of path components.

CVE-2025-69227

When processing a POST body, an infinite loop can occur when assert
statements are bypassed leading to a possible DoS attack.

CVE-2025-69228

Possible DoS attack that can freeze the server by exhausting the
memory using Request.post().

CVE-2025-69229

The handling of chunked messages that can result in an excessive
blocking of CPU usage when receiving a large number of chunks.

CVE-2026-22815

Uncapped memory usage due to insufficient restrictions in header and
trailer handling.

CVE-2026-34513

Excessive memory usage possibly resulting in a DoS due to an an
unbounded DNS cache.

CVE-2026-34514

Header injection.

CVE-2026-34516

Potential DoS vulnerability caused by a response with an excessive
number of multipart headers.

CVE-2026-34517

Possible excessive memory usage caused by some multipart form fields
due to reading the entiry field into memory before checking
client_max_size.

CVE-2026-34518

Leaking sensitive information by dropping the Cookie and the Proxy-
Authorization headers When following redirects to a different
origin.

CVE-2026-34519

Header injection via the reason parameter.

CVE-2026-34520

Possible security bypass by checking header values for control
characters accordingly to RFC 9110.

CVE-2026-34525

Headers can be duplicated, e.g. the host header.

For Debian 11 bullseye, these problems have been fixed in version
3.7.4-1+deb11u2.

We recommend that you upgrade your python-aiohttp packages.

For the detailed security status of python-aiohttp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-aiohttp

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

ELA-1741-1 imagemagick security update (by )

Package : imagemagick

Version : 8:6.9.10.23+dfsg-2.1+deb10u18 (buster)

Related CVEs :
CVE-2026-33901
CVE-2026-42050
CVE-2026-42326
CVE-2026-45031
CVE-2026-45358
CVE-2026-45624
CVE-2026-45664
CVE-2026-46520
CVE-2026-46521
CVE-2026-46522
CVE-2026-46523
CVE-2026-46559
CVE-2026-46692
CVE-2026-46693
CVE-2026-47165
CVE-2026-47166

Multiple security vulnerabilities were discovered in imagemagick, a
software suite used for editing and manipulating digital images, which
could lead to denial of service, information disclosure or
potentially arbitrary code execution if malformed images are processed.

ELA-1741-1 imagemagick security update (by )

ELA-1734-1 nodejs security update (by )

Package : nodejs

Version : 10.24.0~dfsg-1~deb10u8 (buster)

Related CVEs :
CVE-2025-59465
CVE-2026-21637
CVE-2026-21714

Multiple vulnerabilities were discovered in Node.js, which could result
in denial of service.

CVE-2025-59465
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`.
Instead of safely closing the connection, the process crashes, enabling a remote denial of service.

CVE-2026-21637
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server.

CVE-2026-21714
A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level)
that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame,
but the Http2Session object is never cleaned up.

ELA-1734-1 nodejs security update (by )

ELA-1744-1 p7zip-rar security update (by )

Package : p7zip-rar

Version : 16.02+really25.00+ds-0+deb9u1 (stretch)

Related CVEs :
CVE-2018-5996
CVE-2018-10115
CVE-2025-53816

The
ELA-1742-1
update for p7zip breaks compatibility with p7zip-rar. While p7zip-rar
is currently not supported for stretch, we applied the same codebase
upgrade so both packages work together again.

ELA-1744-1 p7zip-rar security update (by )

ELA-1743-1 p7zip-rar update (by )

Package : p7zip-rar

Version : 16.02+really25.00+ds-0+deb10u1 (buster)

Related CVEs :
CVE-2025-53816

The
ELA-1742-1
update for p7zip breaks compatibility with p7zip-rar. While p7zip-rar
is currently not supported for stretch, we applied the same codebase
upgrade so both packages work together again.

ELA-1743-1 p7zip-rar update (by )

ELA-1742-1 p7zip security update (by )

Package : p7zip

Version : 16.02+really25.01+dfsg-0+deb9u1 (stretch), 16.02+really25.01+dfsg-0+deb10u1 (buster)

Related CVEs :
CVE-2022-47069
CVE-2023-31102
CVE-2023-40481
CVE-2023-52168
CVE-2023-52169
CVE-2024-11612
CVE-2025-11001
CVE-2025-11002
CVE-2025-53817
CVE-2025-55188

Multiple vulnerabilities were discovered in p7zip, a now unmaintained
fork of 7-Zip, a file archiver handling multiple formats.
To address these security vulnerabilities, whose fixes are
unfortunately not isolated, this update replaces p7zip with 7-Zip v25
(which now supports GNU/Linux natively), slightly modified to make it
reasonably compatible with p7zip.

CVE-2022-47069
heap-buffer-overflow vulnerability via the function
NArchive::NZip::CInArchive::FindCd

CVE-2023-31102
Ppmd7.c allows an integer underflow and invalid read operation via
a crafted 7Z archive.

CVE-2023-40481
SquashFS File Parsing Out-Of-Bounds Write RCE

CVE-2023-52168
heap-based buffer overflow in NTFS handler

CVE-2023-52169
out-of-bounds read in NTFS handler

CVE-2024-11612
CopyCoder Infinite Loop Denial-of-Service

CVE-2025-11001
ZIP File Parsing Directory Traversal RCE

CVE-2025-11002
ZIP File Parsing Directory Traversal RCE

CVE-2025-53817
null pointer dereference in the Compound handler may lead to
denial of service

CVE-2025-55188
does not always properly handle symbolic links

ELA-1742-1 p7zip security update (by )

[SECURITY] [DSA 6318-1] gst-plugins-good1.0 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6318-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 01, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : gst-plugins-good1.0
CVE ID : CVE-2026-5056 CVE-2026-46469 CVE-2026-46470

Multiple multiple vulnerabilities were discovered in plugins for
the GStreamer media framework and its codecs and demuxers, which
may result in denial of service or potentially the execution of
arbitrary code if a malformed media file is opened.

For the stable distribution (trixie), these problems have been fixed in
version 1.26.2-1+deb13u1.

We recommend that you upgrade your gst-plugins-good1.0 packages.

For the detailed security status of gst-plugins-good1.0 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gst-plugins-good1.0

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6317-1] symfony security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6317-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 01, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : symfony
CVE ID : CVE-2024-50340 CVE-2026-45063 CVE-2026-45065 CVE-2026-45067
CVE-2026-45068 CVE-2026-45071 CVE-2026-45073 CVE-2026-45077
CVE-2026-45133 CVE-2026-45304 CVE-2026-45305 CVE-2026-46626
CVE-2026-48489 CVE-2026-48736 CVE-2026-48784

Multiple vulnerabilities have been found in the Symfony PHP framework
which could lead to a bypass of security controls, cross-site scripting,
denial of service, SQL injection, email header injection, information
disclosure or code execution via PHP object deserialization.

For the oldstable distribution (bookworm), these problems have been fixed
in version 5.4.53+dfsg-0+deb12u1.

We recommend that you upgrade your symfony packages.

For the detailed security status of symfony please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/symfony

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

ELA-1745-1 imagemagick security update (by )

Package : imagemagick

Version : 8:6.9.7.4+dfsg-11+deb9u29 (stretch)

Related CVEs :
CVE-2026-33901
CVE-2026-42326
CVE-2026-45358
CVE-2026-45624
CVE-2026-45664
CVE-2026-46520
CVE-2026-46521
CVE-2026-46522
CVE-2026-46523
CVE-2026-46559
CVE-2026-46692
CVE-2026-46693
CVE-2026-47165
CVE-2026-47166

Multiple security vulnerabilities were discovered in imagemagick, a
software suite used for editing and manipulating digital images, which
could lead to denial of service, information disclosure or
potentially arbitrary code execution if malformed images are processed.

ELA-1745-1 imagemagick security update (by )