Debian released several security advisories to address critical flaws across multiple widely used software packages. The updates target vulnerabilities in Samba, node-shell-quote, Kdenlive, ImageMagick, and Memcached that could allow attackers to execute arbitrary code, inject shell commands, or steal sensitive authentication information through various exploit methods. Each advisory provides specific patched versions for older stable releases as well as current distributions, ensuring administrators can apply the necessary fixes without disrupting their systems.

[DSA 6297-1] samba security update
[DSA 6300-1] node-shell-quote security update
[DSA 6299-1] kdenlive security update
[DSA 6298-1] imagemagick security update
[DLA 4601-1] memcached security update
ELA-1733-1 memcached security update

[SECURITY] [DSA 6297-1] samba security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6297-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 26, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : samba
CVE ID : CVE-2026-1933 CVE-2026-2340 CVE-2026-3012 CVE-2026-3238
CVE-2026-4408 CVE-2026-4480

Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,
print, and login server for Unix, which might result in bypass of access
checks, overwrite of files in unintended situations using the WORM vfs
module, installing CA certificates over http without verification when
auto-enrollment GPO is enabled, denial of service or remote code
execution.

For the oldstable distribution (bookworm), these problems have been
fixed in version 2:4.17.12+dfsg-0+deb12u4.

For the stable distribution (trixie), these problems have been fixed in
version 2:4.22.8+dfsg-0+deb13u2.

We recommend that you upgrade your samba packages.

For the detailed security status of samba please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/samba

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6300-1] node-shell-quote security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6300-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 26, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : node-shell-quote
CVE ID : CVE-2026-9277

Akshat Sinha discovered that incorrect input sanitising in
node-shell-quote, a Node.js module to quote and parse shell commands,
could result in shell command injection.

For the oldstable distribution (bookworm), this problem has been fixed
in version 1.7.4+~1.7.1-1+deb12u1.

For the stable distribution (trixie), this problem has been fixed in
version 1.7.4+~1.7.1-1+deb13u1.

We recommend that you upgrade your node-shell-quote packages.

For the detailed security status of node-shell-quote please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/node-shell-quote

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6299-1] kdenlive security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6299-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 26, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : kdenlive
CVE ID : CVE-2026-45184

It was discovered that opening a malformed project file in the Kdenlive
video editor could result in the execution of arbitrary code.

For the oldstable distribution (bookworm), this problem has been fixed
in version 22.12.3-2+deb12u2.

For the stable distribution (trixie), this problem has been fixed in
version 24.12.3-2+deb13u1.

We recommend that you upgrade your kdenlive packages.

For the detailed security status of kdenlive please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/kdenlive

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6298-1] imagemagick security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6298-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 26, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : imagemagick
CVE ID : CVE-2026-42050 CVE-2026-42326 CVE-2026-45031 CVE-2026-45358
CVE-2026-45359 CVE-2026-45624 CVE-2026-45664 CVE-2026-46520
CVE-2026-46521 CVE-2026-46522 CVE-2026-46523 CVE-2026-46557
CVE-2026-46559 CVE-2026-46692 CVE-2026-46693 CVE-2026-47165
CVE-2026-47166

Multiple security vulnerabilities were discovered in imagemagick,
a software suite used for editing and manipulating digital images, which
could lead to denial of service, information disclosure or potentially
arbitrary code execution if malformed images are processed.

For the stable distribution (trixie), these problems have been fixed in
version 8:7.1.1.43+dfsg1-1+deb13u9.

We recommend that you upgrade your imagemagick packages.

For the detailed security status of imagemagick please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/imagemagick

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4601-1] memcached security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4601-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
May 26, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : memcached
Version : 1.6.9+dfsg-1+deb11u1
CVE IDs : CVE-2026-47783 CVE-2026-47784
Debian Bug : 1137214

It was discovered that there were two side-channel attacks in
memcached, the popular in-memory key/value database store. This could
have been used to reveal or extract information about authentication
details.

For Debian 11 bullseye, these problems have been fixed in version
1.6.9+dfsg-1+deb11u1.

We recommend that you upgrade your memcached packages.

For the detailed security status of memcached please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/memcached

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

ELA-1733-1 memcached security update (by )

Package : memcached


Version : 1.4.33-1+deb9u3 (stretch), 1.5.6-1.1+deb10u2 (buster)


Related CVEs :

CVE-2026-47783

CVE-2026-47784



Two side-channel attacks were discovered in memcached, an in-memory key/value
database store. This could have been used to reveal or extract information
about authentication details.

ELA-1733-1 memcached security update (by )