Recent Debian advisories address multiple critical flaws across rsync, Firefox ESR, BIND9, PowerDNS, and python-gevent. Attackers could exploit these weaknesses to gain unauthorized system access, bypass security restrictions, or trigger service disruptions. Patches are already available for older stable releases and extended support tracks, so users should upgrade their packages right away. Delaying these updates leaves systems exposed to serious threats that could compromise sensitive data or destabilize entire networks.

[DSA 6282-1] rsync security update
[DLA 4592-1] firefox-esr security update
[DSA 6285-1] bind9 security update
[DSA 6284-1] pdns security update
[DSA 6283-1] firefox-esr security update
[DLA 4591-1] rsync security update
ELA-1718-1 python-gevent security update (by )

[SECURITY] [DSA 6282-1] rsync security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6282-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 20, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : rsync
CVE ID : CVE-2026-29518 CVE-2026-43617 CVE-2026-43618 CVE-2026-43619
CVE-2026-43620 CVE-2026-45232

Several vulnerabilities were discovered in rsync, a fast, versatile,
remote (and local) file-copying tool, which may result in local
privilege escalation, bypass of intended access restrictions, remote
memory disclosure to an authenticated daemon peer or denial of service.

For the oldstable distribution (bookworm), these problems have been fixed
in version 3.2.7-1+deb12u5.

For the stable distribution (trixie), these problems have been fixed in
version 3.4.1+ds1-5+deb13u3.

We recommend that you upgrade your rsync packages.

For the detailed security status of rsync please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/rsync

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4592-1] firefox-esr security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4592-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
May 20, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : firefox-esr
Version : 140.11.0esr-1~deb11u1
CVE ID : CVE-2026-8388 CVE-2026-8391 CVE-2026-8401 CVE-2026-8946
CVE-2026-8947 CVE-2026-8950 CVE-2026-8953 CVE-2026-8954
CVE-2026-8955 CVE-2026-8956 CVE-2026-8957 CVE-2026-8958
CVE-2026-8961 CVE-2026-8962 CVE-2026-8968 CVE-2026-8970
CVE-2026-8974 CVE-2026-8975

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code, bypass of the same-origin policy, privilege escalation, information
disclosure, spoofing or sandbox escape.

For Debian 11 bullseye, these problems have been fixed in version
140.11.0esr-1~deb11u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6285-1] bind9 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6285-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 20, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : bind9
CVE ID : CVE-2026-3039 CVE-2026-3592 CVE-2026-5946
CVE-2026-5950 CVE-2026-5947 CVE-2026-3593

Several vulnerabilities were discovered in BIND, a DNS server
implementation, which may result in denial of service.

For the oldstable distribution (bookworm), these problems have been fixed
in version 1:9.18.49-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 1:9.20.23-1~deb13u1.

We recommend that you upgrade your bind9 packages.

For the detailed security status of bind9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/bind9

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6284-1] pdns security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6284-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 20, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : pdns
CVE ID : CVE-2026-42000 CVE-2026-42001 CVE-2026-42002 CVE-2026-42396

Multiple vulnerabiliites have been discovered in the PowerDNS DNS server,
which could result in denial of service or information disclosure.

For the stable distribution (trixie), these problems have been fixed in
version 4.9.15-0+deb13u1.

We recommend that you upgrade your pdns packages.

For the detailed security status of pdns please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pdns

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6283-1] firefox-esr security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6283-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 20, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : firefox-esr
CVE ID : CVE-2026-8388 CVE-2026-8391 CVE-2026-8401 CVE-2026-8946
CVE-2026-8947 CVE-2026-8950 CVE-2026-8953 CVE-2026-8954
CVE-2026-8955 CVE-2026-8956 CVE-2026-8957 CVE-2026-8958
CVE-2026-8961 CVE-2026-8962 CVE-2026-8968 CVE-2026-8970
CVE-2026-8974 CVE-2026-8975

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code, bypass of the same-origin policy, privilege escalation, information
disclosure, spoofing or sandbox escape.

For the oldstable distribution (bookworm), these problems have been fixed
in version 140.11.0esr-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 140.11.0esr-1~deb13u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4591-1] rsync security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4591-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
May 20, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : rsync
Version : 3.2.3-4+deb11u4
CVE ID : CVE-2026-29518 CVE-2026-43617 CVE-2026-43618
CVE-2026-43619 CVE-2026-43620

Several vulnerabilities were discovered in rsync, a fast, versatile,
remote (and local) file-copying tool, which may result in local
privilege escalation, bypass of intended access restrictions, remote
memory disclosure to an authenticated daemon peer or denial of service.

For Debian 11 bullseye, these problems have been fixed in version
3.2.3-4+deb11u4.

We recommend that you upgrade your rsync packages.

For the detailed security status of rsync please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/rsync

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

ELA-1718-1 python-gevent security update (by )

Package : python-gevent

Version : 1.3.7-1+deb10u1 (buster)

Related CVEs :
CVE-2023-41419

An issue in Gevent, a coroutine -based Python networking library,
before version 23.9.0 allows a remote attacker to escalate privileges
via a crafted script to the WSGIServer component.

ELA-1718-1 python-gevent security update (by )