Python-Urllib3, Osslsigncode, Incus updates for Debian

Debian 10751 Published by

Debian has released several security updates, including DLA-4426-2 for osslsigncode and DLA-4446-1/ELA-1618-1 for python-urllib3. The updates fix vulnerabilities CVE-2023-36377 in osslsigncode and CVE-2026-21441 in python-urllib3, which could lead to denial-of-service attacks. Additionally, Debian Security Advisory DSA-6109-1 addresses two security issues in Incus, a system container.

Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1618-1 python-urllib3 security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4426-2] osslsigncode regression update
[DLA 4446-1] python-urllib3 security update

Debian GNU/Linux 13 (Trixie):
[DSA 6109-1] incus security update



[SECURITY] [DLA 4426-2] osslsigncode regression update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4426-2 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Abhijith PA
January 23, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : osslsigncode
Version : 2.5-4~deb11u1+really2.9-1+deb11u2
Debian Bug : 1076785

Fix for vulnerability CVE-2023-36377 was released in DLA 4426-1 by
upgrading to version 2.5-4, which had a known bug #1076785. This issue
is fixed by updating to version 2.9. https://bugs.debian.org/1076785

For Debian 11 bullseye, this problem has been fixed in version
2.5-4~deb11u1+really2.9-1+deb11u2.

We recommend that you upgrade your osslsigncode packages.

For the detailed security status of osslsigncode please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/osslsigncode

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 4446-1] python-urllib3 security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-4446-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
January 23, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : python-urllib3
Version : 1.26.5-1~exp1+deb11u3
CVE ID : CVE-2026-21441
Debian Bug : 1125062

It was discovered that python-urllib3, an HTTP library with thread-safe
connection pooling for Python, was vulnerable to decompression bomb when
following HTTP redirects via the streaming API, which could lead to
Denial of Service.

For Debian 11 bullseye, this problem has been fixed in version
1.26.5-1~exp1+deb11u3.

We recommend that you upgrade your python-urllib3 packages.

For the detailed security status of python-urllib3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-urllib3

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DSA 6109-1] incus security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-6109-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 23, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : incus
CVE ID : CVE-2026-23953 CVE-2026-23954

Two security issues were discovered in Incus, a system container and
virtual machine manager, which could result the in execution of arbitrary
commands via malformed images.

For the stable distribution (trixie), these problems have been fixed in
version 6.0.4-2+deb13u4.

We recommend that you upgrade your incus packages.

For the detailed security status of incus please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/incus

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


ELA-1618-1 python-urllib3 security update


Package : python-urllib3
Version : 1.24.1-1+deb10u5 (buster)

Related CVEs :
CVE-2026-21441

It was discovered that python-urllib3, an HTTP library with thread-safe
connection pooling for Python, was reading the entire response body to
drain the connection and unnecessarily decompressed the content when
following HTTP redirects via the streaming API.
This decompression occured in way that bypassed the library’s
decompression-bomb safeguards. A malicious server could therefore
exploit this behavior to trigger denial of service on the client due to
excessive resource consumption (high CPU usage and large memory
allocations).


ELA-1618-1 python-urllib3 security update


Python, Firefox, Chromium, and more updates for SUSE Linux

Liquorix Linux Kernel 6.18-7 released

Windows

Linux

macOS

Community

  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...
  • StephanX
    Hi friends, i am new in the Linux universe but i try to ...