Two security update have been released for Debian GNU/Linux 11 (Bullseye) LTS. The first update, DLA-4466-1, addresses a security issue in Thunderbird that could result in information disclosure and has been fixed with version 1:140.7.1esr-1~deb11u1. The second update, DLA-4467-1, fixes multiple vulnerabilities in containerd, including overly broad default permission issues and a bug in CRI Attach implementation that can exhaust host memory. Both advisories recommend upgrading the respective packages to fix the security issues.

[DLA 4466-1] thunderbird security update
[DLA 4467-1] containerd security update

[SECURITY] [DLA 4466-1] thunderbird security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4466-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
February 04, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : thunderbird
Version : 1:140.7.1esr-1~deb11u1
CVE ID : CVE-2026-0818

A security issue was discovered in Thunderbird, which could result in
information disclosure.

For Debian 11 bullseye, this problem has been fixed in version
1:140.7.1esr-1~deb11u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4467-1] containerd security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4467-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Arnaud Rebillout
February 05, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : containerd
Version : 1.4.13~ds1-1~deb11u6
CVE ID : CVE-2024-25621 CVE-2025-64329
Debian Bug : 1120285 1120343

Multiple vulnerabilities were discovered in containerd, an open-source
container runtime, used by e.g. Docker or Kubernetes.

CVE-2024-25621

Overly broad default permission vulnerability. Directory paths
`/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri`
and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were
all created with incorrect permissions.

CVE-2025-64329

Bug in the CRI Attach implementation where a user can exhaust memory
on the host due to goroutine leaks.

For Debian 11 bullseye, these problems have been fixed in version
1.4.13~ds1-1~deb11u6.

We recommend that you upgrade your containerd packages.

For the detailed security status of containerd please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/containerd

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS