Debian released multiple security advisories addressing numerous vulnerabilities across popular software packages. The updates patch critical flaws in Symfony, Chromium, Git LFS, Sentry Python, Keystone, Cyborg, Swift, and Dovecot that could allow attackers to execute arbitrary code, bypass authentication, or steal sensitive data. System administrators should immediately apply the recommended package upgrades to their Debian stable and long term support environments to prevent potential exploitation. Detailed version information and tracking links are provided in the official advisories for each affected component.

[DSA 6312-1] symfony security update
[DLA 4610-1] git-lfs security update
[DLA 4612-1] sentry-python security update
[DLA 4611-1] keystone security update
[DSA 6316-1] chromium security update
[DSA 6315-1] cyborg security update
[DSA 6314-1] swift security update
[DSA 6313-1] dovecot security update

[SECURITY] [DSA 6312-1] symfony security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6312-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 31, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : symfony
CVE ID : CVE-2024-50340 CVE-2026-45063 CVE-2026-45064 CVE-2026-45065
CVE-2026-45066 CVE-2026-45067 CVE-2026-45068 CVE-2026-45069
CVE-2026-45071 CVE-2026-45072 CVE-2026-45073 CVE-2026-45077
CVE-2026-45133 CVE-2026-45304 CVE-2026-45305 CVE-2026-45754
CVE-2026-46626 CVE-2026-48489 CVE-2026-48736 CVE-2026-48760
CVE-2026-48761 CVE-2026-48784

Multiple vulnerabilities have been found in the Symfony PHP framework
which could lead to a bypass of security controls, cross-site scripting,
denial of service, SQL injection, email header injection, information
disclosure or code execution via PHP object deserialization.

For the stable distribution (trixie), these problems have been fixed in
version 6.4.41+dfsg-0+deb13u1.

We recommend that you upgrade your symfony packages.

For the detailed security status of symfony please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/symfony

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4610-1] git-lfs security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4610-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andrej Shadura
May 31, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : git-lfs
Version : 2.13.2-1+deb11u2
CVE ID : CVE-2025-26625

In Git LFS versions 0.5.2 through 3.7.0, when populating a Git repository's
working tree with the contents of Git LFS objects, certain Git LFS commands
could write to files visible outside the current Git working tree if symbolic
or hard links existed which collided with the paths of files tracked by Git
LFS.

The git lfs checkout and git lfs pull commands did not check for symbolic
links before writing to files in the working tree, which allowed an attacker
to craft a repository containing symbolic or hard links that caused Git LFS
to write to arbitrary file system locations accessible to the user running
these commands.

Also, when the git lfs checkout and git lfs pull commands were run in a bare
repository, they could write to files visible outside the repository.
The complete fix to this issue, specifically the behaviour of git lfs pull,
requires a newer Git version, 2.42.0 or newer.

As a workaround, support for symlinks in Git may be disabled by setting the
core.symlinks configuration option to false, after which further clones and
fetches will not create symbolic links. However, any symbolic or hard links
in existing repositories will still provide the opportunity for Git LFS to
write to their targets.

For Debian 11 bullseye, this problem has been partially fixed in version
2.13.2-1+deb11u2. For a complete fix, Git 2.42.0 or newer is also required.

We recommend that you upgrade your git-lfs packages.

For the detailed security status of git-lfs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/git-lfs

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4612-1] sentry-python security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4612-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Santiago Ruano Rincón
May 31, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : sentry-python
Version : 0.13.2-1+deb11u1
CVE ID : CVE-2024-40647
Debian Bug : 1083189

A vulnerability was found in the Python SDK for Sentry.io The issue
results in the unintentional exposure of environment variables to
subprocesses despite the env={} setting.

For Debian 11 bullseye, this problem has been fixed in version
0.13.2-1+deb11u1.

We recommend that you upgrade your sentry-python packages.

For the detailed security status of sentry-python please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/sentry-python

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4611-1] keystone security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4611-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Santiago Ruano Rincón
May 31, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : keystone
Version : 2:18.1.0-1+deb11u3
CVE ID : CVE-2026-33551 CVE-2026-40683 CVE-2026-42998 CVE-2026-42999
CVE-2026-43000 CVE-2026-43001 CVE-2026-44394
Debian Bug : 1133118 1133884 1135645

Multiple vulnerabilities have been found in Keystone, the OpenStack identity
service, including privilege escalation and authorization and access
control flaws.

CVE-2026-33551

An authenticated user with only a reader role may obtain an EC2/S3
credential that carries the full set of the parent user's S3
permissions, bypassing the role restrictions imposed on the
application credential. Only deployments that use restricted application
credentials in combination with the EC2/S3 compatibility API
(swift3/s3api) are affected. Reported by Maxence Bornecque, from
Orange Cyberdefense CERT Vulnerability Intelligence Watch Team.

CVE-2026-40683

LDAP identity backend does not convert enabled attribute to boolean. When
the user_enabled_invert configuration option was False (the default),
Keystone did not correctly interpret the LDAP enabled attribute, causing
users disabled in LDAP to be treated as enabled and allowed to
authenticate. Deployments using the LDAP identity backend without
user_enabled_invert=True or user_enabled_emulation are affected.
Independently reported by Benedikt Trefzer and Andrew Bogott.

CVE-2026-42998

Application credential authentication does not verify the caller owns
the credential, allowing user impersonation within a shared project.
Reported by Boris Bobrov, from SAP SE.

CVE-2026-42999

An attacker can inject RBAC policy targets via the JSON request body,
bypassing authorization on any policy-protected endpoint. Allows
reading all credential secrets, creating credentials for arbitrary
users, and granting admin across domains. Reported by Boris Bobrov,
from SAP SE.

CVE-2026-43000

The impersonation from CVE-2026-42998 can be chained with trusts to
escalate from member to admin. The resulting trust persists
independently of the original credential. Reported by Boris Bobrov, from
SAP SE.

CVE-2026-43001

Application credentials scoped to one project can create EC2
credentials for a different project. Reported by Tim Shepherd,
roiai.ca.

CVE-2026-44394

Federated users can maintain access indefinitely by repeatedly
re-scoping tokens before expiry. Each re-scope issues a fresh full-TTL
token instead of inheriting the original expiry. Only SAML2/OIDC
deployments are affected. Reported by Erichen, Institute of Computing
Technology, Chinese Academy of Sciences.

For Debian 11 bullseye, these problems have been fixed in version
2:18.1.0-1+deb11u3.

We recommend that you upgrade your keystone packages.

For the detailed security status of keystone please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/keystone

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6316-1] chromium security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6316-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
May 31, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium
CVE ID : CVE-2026-9872 CVE-2026-9873 CVE-2026-9874 CVE-2026-9875
CVE-2026-9876 CVE-2026-9877 CVE-2026-9878 CVE-2026-9879
CVE-2026-9880 CVE-2026-9881 CVE-2026-9882 CVE-2026-9883
CVE-2026-9884 CVE-2026-9885 CVE-2026-9886 CVE-2026-9887
CVE-2026-9888 CVE-2026-9889 CVE-2026-9890 CVE-2026-9891
CVE-2026-9892 CVE-2026-9893 CVE-2026-9894 CVE-2026-9895
CVE-2026-9896 CVE-2026-9897 CVE-2026-9898 CVE-2026-9899
CVE-2026-9900 CVE-2026-9901 CVE-2026-9902 CVE-2026-9903
CVE-2026-9904 CVE-2026-9905 CVE-2026-9906 CVE-2026-9907
CVE-2026-9908 CVE-2026-9909 CVE-2026-9910 CVE-2026-9911
CVE-2026-9912 CVE-2026-9913 CVE-2026-9914 CVE-2026-9915
CVE-2026-9916 CVE-2026-9917 CVE-2026-9918 CVE-2026-9919
CVE-2026-9920 CVE-2026-9921 CVE-2026-9922 CVE-2026-9923
CVE-2026-9924 CVE-2026-9925 CVE-2026-9926 CVE-2026-9927
CVE-2026-9928 CVE-2026-9929 CVE-2026-9930 CVE-2026-9931
CVE-2026-9932 CVE-2026-9933 CVE-2026-9934 CVE-2026-9935
CVE-2026-9936 CVE-2026-9937 CVE-2026-9938 CVE-2026-9939
CVE-2026-9940 CVE-2026-9941 CVE-2026-9942 CVE-2026-9943
CVE-2026-9944 CVE-2026-9945 CVE-2026-9946 CVE-2026-9947
CVE-2026-9948 CVE-2026-9949 CVE-2026-9950 CVE-2026-9951
CVE-2026-9952 CVE-2026-9953 CVE-2026-9954 CVE-2026-9955
CVE-2026-9956 CVE-2026-9957 CVE-2026-9958 CVE-2026-9959
CVE-2026-9960 CVE-2026-9961 CVE-2026-9962 CVE-2026-9963
CVE-2026-9964 CVE-2026-9965 CVE-2026-9966 CVE-2026-9967
CVE-2026-9968 CVE-2026-9969 CVE-2026-9970 CVE-2026-9971
CVE-2026-9972 CVE-2026-9973 CVE-2026-9974 CVE-2026-9975
CVE-2026-9976 CVE-2026-9977 CVE-2026-9978 CVE-2026-9979
CVE-2026-9980 CVE-2026-9981 CVE-2026-9982 CVE-2026-9983
CVE-2026-9984 CVE-2026-9985 CVE-2026-9986 CVE-2026-9987
CVE-2026-9988 CVE-2026-9989 CVE-2026-9990 CVE-2026-9991
CVE-2026-9992 CVE-2026-9993 CVE-2026-9994 CVE-2026-9995
CVE-2026-9996 CVE-2026-9997 CVE-2026-9998 CVE-2026-9999
CVE-2026-10000 CVE-2026-10001 CVE-2026-10002 CVE-2026-10003
CVE-2026-10004 CVE-2026-10005 CVE-2026-10006 CVE-2026-10007
CVE-2026-10008 CVE-2026-10009 CVE-2026-10010 CVE-2026-10011
CVE-2026-10012 CVE-2026-10013 CVE-2026-10014 CVE-2026-10015
CVE-2026-10016 CVE-2026-10017 CVE-2026-10018 CVE-2026-10019
CVE-2026-10020 CVE-2026-10021 CVE-2026-10022

Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.

For the oldstable distribution (bookworm), these problems have been fixed
in version 148.0.7778.215-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 148.0.7778.215-1~deb13u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6315-1] cyborg security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6315-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 31, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : cyborg
CVE ID : CVE-2026-40213 CVE-2026-40214

Two security vulnerabilities have been discovered in Cyborg, the
OpenStack component for management of hardware accelerators, which could
result in incomplete access controls.

For the stable distribution (trixie), these problems have been fixed in
version 14.0.0-3+deb13u1.

We recommend that you upgrade your cyborg packages.

For the detailed security status of cyborg please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/cyborg

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6314-1] swift security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6314-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 31, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : swift
CVE ID : CVE-2026-49017

Alistair Coles discovered that the s3api middleware of Swift, a
distributed virtual object store, was susceptible to denial of service.

The oldstable distribution (bookworm) is not affected.

For the stable distribution (trixie), this problem has been fixed in
version 2.35.1-0+deb13u2.

We recommend that you upgrade your swift packages.

For the detailed security status of swift please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/swift

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6313-1] dovecot security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6313-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 31, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : dovecot
CVE ID : CVE-2026-33603 CVE-2026-40016 CVE-2026-40020
CVE-2026-42006 CVE-2026-27851

Multiple vulnerabilities have been discovered in the Dovecot IMAP server
which way result in denial of service, SQL injection or
man-in-the-midddle attacks

For the oldstable distribution (bookworm), these problems have been fixed
in version 1:2.3.19.1+dfsg1-2.1+deb12u6.

For the stable distribution (trixie), these problems have been fixed in
version 1:2.4.1+dfsg1-6+deb13u6.

We recommend that you upgrade your dovecot packages.

For the detailed security status of dovecot please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/dovecot

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/