[DLA 4583-1] python3.9 security update
[DLA 4584-1] openssh security update
[DSA 6273-1] chromium security update
[DLA 4585-1] firewalld security update
[DSA 6275-1] linux security update
[DSA 6274-1] linux security update
[DLA 4586-1] php7.4 security update
[DSA 6277-1] openjpeg2 security update
[DSA 6276-1] ffmpeg security update
[SECURITY] [DLA 4583-1] python3.9 security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4583-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Arnaud Rebillout
May 15, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : python3.9
Version : 3.9.2-1+deb11u7
CVE ID : CVE-2025-13462 CVE-2026-0672 CVE-2026-2297 CVE-2026-3644
CVE-2026-4224 CVE-2026-4519
Debian Bug :
Multiple vulnerabilities were discovered in Python 3.9.
CVE-2025-13462
The "tarfile" module would still apply normalization of AREGTYPE
(\x00) blocks to DIRTYPE, even while processing a multi-block member
such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a
crafted tar archive being misinterpreted by the tarfile module
compared to other implementations.
CVE-2026-0672
When using http.cookies.Morsel, user-controlled cookie values and
parameters can allow injecting HTTP headers into messages. Patch
rejects all control characters within cookie names, values, and
parameters.
CVE-2026-2297
The import hook in CPython that handles legacy *.pyc files
(SourcelessFileLoader) is incorrectly handled in FileLoader (a base
class) and so does not use io.open_code() to read the .pyc files.
sys.audit handlers for this audit event therefore do not fire.
CVE-2026-3644
The fix for CVE-2026-0672, which rejected control characters in
http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator,
and unpickling paths were not patched, allowing control characters to
bypass input validation. Additionally, BaseCookie.js_output() lacked
the output validation applied to BaseCookie.output().
CVE-2026-4224
When an Expat parser with a registered ElementDeclHandler parses an
inline document type definition containing a deeply nested content
model a C stack overflow occurs.
CVE-2026-4519
The webbrowser.open() API would accept leading dashes in the URL which
could be handled as command line options for certain web browsers. New
behavior rejects leading dashes. Users are recommended to sanitize
URLs prior to passing to webbrowser.open().
For Debian 11 bullseye, these problems have been fixed in version
3.9.2-1+deb11u7.
We recommend that you upgrade your python3.9 packages.
For the detailed security status of python3.9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python3.9
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4584-1] openssh security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4584-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Santiago Ruano Rincón
May 15, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : openssh
Version : 1:8.4p1-5+deb11u7
CVE ID : CVE-2025-61984 CVE-2025-61985 CVE-2026-35385 CVE-2026-35386
CVE-2026-35387 CVE-2026-35388 CVE-2026-35414
Debian Bug : 1117529 1117530 1132572 1132573 1132574 1132575 1132576
Several vulnerabilities have been discovered in OpenSSH, an implementation of
the SSH protocol suite.
CVE-2025-61984
ssh allows control characters in usernames that originate from certain
possibly untrusted sources, potentially leading to code execution when a
ProxyCommand is used.
CVE-2025-61985
ssh allows the '\0' character in an ssh:// URI, potentially leading to code
execution when a ProxyCommand is used.
CVE-2026-35385
When downloading files as root in legacy (-O) mode and without the -p
(preserve modes) flag set, scp did not clear setuid/setgid bits from
downloaded files as one might typically expect. This bug dates back to the
original Berkeley rcp program. Reported by Christos Papakonstantinou of
Cantina and Spearbit.
CVE-2026-35386
Validation of shell metacharacters in user names supplied on the
command-line was performed too late to prevent some situations where they
could be expanded from %-tokens in ssh_config. For certain configurations,
such as those that use a "%u" token in a "Match exec" block, an attacker
who can control the user name passed to ssh(1) could potentially execute
arbitrary shell commands. Reported by Florian Kohnhäuser.
OpenSSH developers continue to recommend against directly exposing ssh(1)
and other tools' command-lines to untrusted input. Mitigations as the one
addressing this issue can not be absolute given the variety of shells and
user configurations in use.
CVE-2026-35387
ssh can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in
PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted
to mean all ECDSA algorithms. Reported by Christos Papakonstantinou of
Cantina and Spearbit.
CVE-2026-35388
Connection multiplexing confirmation (requested using "ControlMaster
ask/autoask") was not being tested for proxy mode multiplexing sessions (i.e.
"ssh -O proxy ..."). Reported by Michalis Vasileiadis.
CVE-2026-35414
When matching an authorized_keys principals="" option against a list of
principals in a certificate, an incorrect algorithm was used that could
allow inappropriate matching in cases where a principal name in the
certificate contains a comma character. Exploitation of the condition requires
an authorized_keys principals="" option that lists more than one principal
*and* a CA that will issue a certificate that encodes more than one of
these principal names separated by a comma (typical CAs strongly constrain
which principal names they will place in a certificate). This condition
only applies to user- trusted CA keys in authorized_keys, the main
certificate authentication path
(TrustedUserCAKeys/AuthorizedPrincipalsFile) is not affected. Reported by
Vladimir Tokarev.
For Debian 11 bullseye, these problems have been fixed in version
1:8.4p1-5+deb11u7.
We recommend that you upgrade your openssh packages.
For the detailed security status of openssh please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openssh
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 6273-1] chromium security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6273-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
May 15, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : chromium
CVE ID : CVE-2026-8509 CVE-2026-8510 CVE-2026-8511 CVE-2026-8512
CVE-2026-8513 CVE-2026-8514 CVE-2026-8515 CVE-2026-8516
CVE-2026-8517 CVE-2026-8518 CVE-2026-8519 CVE-2026-8520
CVE-2026-8521 CVE-2026-8522 CVE-2026-8523 CVE-2026-8524
CVE-2026-8525 CVE-2026-8526 CVE-2026-8527 CVE-2026-8528
CVE-2026-8529 CVE-2026-8530 CVE-2026-8531 CVE-2026-8532
CVE-2026-8533 CVE-2026-8534 CVE-2026-8535 CVE-2026-8536
CVE-2026-8537 CVE-2026-8538 CVE-2026-8539 CVE-2026-8540
CVE-2026-8541 CVE-2026-8542 CVE-2026-8543 CVE-2026-8544
CVE-2026-8545 CVE-2026-8546 CVE-2026-8547 CVE-2026-8548
CVE-2026-8549 CVE-2026-8550 CVE-2026-8551 CVE-2026-8552
CVE-2026-8553 CVE-2026-8554 CVE-2026-8555 CVE-2026-8556
CVE-2026-8557 CVE-2026-8558 CVE-2026-8559 CVE-2026-8560
CVE-2026-8561 CVE-2026-8562 CVE-2026-8563 CVE-2026-8564
CVE-2026-8565 CVE-2026-8566 CVE-2026-8567 CVE-2026-8568
CVE-2026-8569 CVE-2026-8570 CVE-2026-8571 CVE-2026-8572
CVE-2026-8573 CVE-2026-8574 CVE-2026-8575 CVE-2026-8576
CVE-2026-8577 CVE-2026-8578 CVE-2026-8579 CVE-2026-8580
CVE-2026-8581 CVE-2026-8582 CVE-2026-8583 CVE-2026-8584
CVE-2026-8585 CVE-2026-8586 CVE-2026-8587
Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.
For the oldstable distribution (bookworm), these problems have been fixed
in version 148.0.7778.167-1~deb12u1.
For the stable distribution (trixie), these problems have been fixed in
version 148.0.7778.167-1~deb13u1.
We recommend that you upgrade your chromium packages.
For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DLA 4585-1] firewalld security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4585-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andreas Henriksson
May 15, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : firewalld
Version : 0.9.3-2+deb11u1
CVE ID : CVE-2026-4948
Debian Bug :
A flaw was found in firewalld where a local unprivileged user can
modify the runtime firewall state without proper authentication, leading to
unauthorized changes in network security configurations.
For Debian 11 bullseye, this problem has been fixed in version
0.9.3-2+deb11u1.
We recommend that you upgrade your firewalld packages.
For the detailed security status of firewalld please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firewalld
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 6275-1] linux security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6275-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 15, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : linux
CVE ID : CVE-2026-46333
One vulnerability has been discovered in the Linux kernel that may lead
to a local privilege escalation.
For the oldstable distribution (bookworm), this problem has been fixed
in version 6.1.172-1.
We recommend that you upgrade your linux packages.
For the detailed security status of linux please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/linux
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 6274-1] linux security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6274-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 15, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : linux
CVE ID : CVE-2026-31499 CVE-2026-43088 CVE-2026-43109 CVE-2026-43220
CVE-2026-43490 CVE-2026-46333
Debian Bug : 1119093 1131025 1135313
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
For the stable distribution (trixie), these problems have been fixed in
version 6.12.88-1.
We recommend that you upgrade your linux packages.
For the detailed security status of linux please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/linux
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DLA 4586-1] php7.4 security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4586-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
May 16, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : php7.4
Version : 7.4.33-1+deb11u11
CVE ID : CVE-2026-6722 CVE-2026-6735 CVE-2026-7258 CVE-2026-7261
CVE-2026-7262 CVE-2026-7568
Debian Bug : 1136054
Multiple security issues were found in PHP, a widely-used open source
general purpose scripting language, which could result in remote code
execution, information disclosure, denial of service.
CVE-2026-6722
A use-after-free issue was discovered in the SOAP extension which
may lead to remote code execution when an apache:Map node contains
duplicate key.
CVE-2026-6735
Conrad Draper discovered that the request URI within the PHP-FPM
status page was improperly sanitized, thereby allowing cross-site
scripting (XSS).
CVE-2026-7258
An out-of-bounds read issue was discovered in `urldecode()`, which
may lead to denial of service on some platforms.
CVE-2026-7261
Ilia Alshanetsky discovered a use-after-free issue after header
parsing failure when SoapServer is configured with
SOAP_PERSISTENCE_SESSION, which may lead to denial of service.
CVE-2026-7262
Ilia Alshanetsky discovered a NULL pointer deference issue in SOAP
apache:Map decoder with missing `` element, thereby leading
to denial of service.
CVE-2026-7568
Aleksey Solovev discovered a signed integer overflow in the
`metaphone()` function from the PHP standard library.
For Debian 11 bullseye, these problems have been fixed in version
7.4.33-1+deb11u11.
We recommend that you upgrade your php7.4 packages.
For the detailed security status of php7.4 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php7.4
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 6277-1] openjpeg2 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6277-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 15, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : openjpeg2
CVE ID : CVE-2026-6192
An integer overflow has been discovered in OpenJPEG, a JPEG 2000 image
compression/decompression library, which could result in denial of
service or potentially the execution of arbitrary code if malformed
images are opened.
For the oldstable distribution (bookworm), this problem has been fixed
in version 2.5.0-2+deb12u3.
For the stable distribution (trixie), this problem has been fixed in
version 2.5.3-2.1~deb13u2.
We recommend that you upgrade your openjpeg2 packages.
For the detailed security status of openjpeg2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjpeg2
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 6276-1] ffmpeg security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6276-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 15, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : ffmpeg
CVE ID : not yet available
Several vulnerabilities have been discovered in the FFmpeg multimedia
framework, which could result in denial of service or potentially the
execution of arbitrary code if malformed files/streams are processed.
For the oldstable distribution (bookworm), this problem has been fixed
in version 7:5.1.9-0+deb12u1.
We recommend that you upgrade your ffmpeg packages.
For the detailed security status of ffmpeg please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ffmpeg
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
