Debian administrators should note that four security advisories regarding critical updates for systemd and python3.9 among other packages. Local users might exploit systemd flaws to gain root access through improper D-Bus validation or stack overflows. Although the python3.9 update reverts previous changes that broke backward compatibility, it successfully fixes a use-after-free vulnerability triggered during memory allocation failures when decompressor instances are reused. LXD and Incus container managers require upgrades too since security flaws in these tools could allow restriction bypasses or privilege escalation attacks.

[DLA 4533-1] systemd security update
[DLA 4532-1] python3.9 regression and security update
[DSA 6213-1] lxd security update
[DSA 6212-1] incus security update

[SECURITY] [DLA 4533-1] systemd security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4533-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Arnaud Rebillout
April 15, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : systemd
Version : 247.3-7+deb11u8
CVE ID : CVE-2026-4105 CVE-2026-29111 CVE-2026-40225 CVE-2026-40226
Debian Bug :

The following vulnerabilities have been discovered systemd:

CVE-2026-4105

The systemd-machined service contains an Improper Access Control
vulnerability due to insufficient validation of the class parameter in
the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged
user can exploit this by attempting to register a machine with a
specific class value, which may leave behind a usable,
attacker-controlled machine object. This allows the attacker to invoke
methods on the privileged object, leading to the execution of
arbitrary commands with root privileges on the host system.

CVE-2026-29111

When an unprivileged IPC API call is made with spurious data, a stack
overwrite occurs, with the attacker controlled content.

CVE-2026-40225

udev: local root execution can occur via malicious hardware devices
and unsanitized kernel output.

CVE-2026-40226

nspawn: an escape-to-host action can occur via a crafted optional
config file.

For Debian 11 bullseye, these problems have been fixed in version
247.3-7+deb11u8.

We recommend that you upgrade your systemd packages.

For the detailed security status of systemd please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/systemd

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4532-1] python3.9 regression and security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4532-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Arnaud Rebillout
April 15, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : python3.9
Version : 3.9.2-1+deb11u6
CVE ID : CVE-2025-15366 CVE-2025-15367 CVE-2026-6100
Debian Bug :

It was found that the patches for CVE-2025-15366 and CVE-2025-15367
break backward compatibility, and upstream decided not to backport those
patches to older Python releases. Therefore those 2 patches, applied in
the previous version (python3.9 3.9.2-1+deb11u5), have been reverted.

Additionally, the following CVE have been fixed:

CVE-2026-6100

Use-after-free (UAF) was possible in the `lzma.LZMADecompressor` and
`bz2.BZ2Decompressor` when a memory allocation fails with a
`MemoryError` and the decompression instance is re-used. This
scenario can be triggered if the process is under memory pressure.
The vulnerability is only present if the program re-uses
decompressor instances across multiple decompression calls even
after a `MemoryError` is raised during decompression. Using the
helper functions to one-shot decompress data such as
`lzma.decompress()` and `bz2.decompress()` are not affected as a new
decompressor instance is used per call. If the decompressor instance
is not re-used after an error condition, this usage is similarly not
vulnerable.

For Debian 11 bullseye, these problems have been fixed in version
3.9.2-1+deb11u6.

We recommend that you upgrade your python3.9 packages.

For the detailed security status of python3.9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python3.9

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6213-1] lxd security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6213-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 15, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : lxd
CVE ID : CVE-2026-34177 CVE-2026-34178 CVE-2026-34179

Multiple security issues were discovered in LXD, a system container and
virtual machine manager, which could result in restriction bypass or
privilege escalation.

For the oldstable distribution (bookworm), these problems have been fixed
in version 5.0.2-5+deb12u5.

For the stable distribution (trixie), these problems have been fixed in
version 5.0.2+git20231211.1364ae4-9+deb13u5.

We recommend that you upgrade your lxd packages.

For the detailed security status of lxd please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/lxd

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6212-1] incus security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6212-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 15, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : incus
CVE ID : CVE-2026-34178 CVE-2026-34179

Two security issues were discovered in Incus, a system container and
virtual machine manager, which could result in restriction bypass
or privilege escalation.

For the stable distribution (trixie), these problems have been fixed in
version 6.0.4-2+deb13u6.

We recommend that you upgrade your incus packages.

For the detailed security status of incus please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/incus

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/