Debian administrators should immediately apply critical security patches for Thunderbird, Firefox ESR, libconfig-inifiles-perl, and gst-libav1.0 to address numerous high-risk vulnerabilities. These updates resolve dozens of common vulnerability identifiers that could allow attackers to execute arbitrary code or bypass browser security restrictions. The fixes also target a Perl module flaw capable of triggering shell command execution alongside heap memory corruption issues within the GStreamer multimedia framework.

[DLA 4636-1] thunderbird security update
[DLA 4635-1] firefox-esr security update
[DLA 4637-1] libconfig-inifiles-perl security update
[DSA 6354-1] libconfig-inifiles-perl security update
[DSA 6353-1] gst-libav1.0 security update

[SECURITY] [DLA 4636-1] thunderbird security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4636-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
June 19, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : thunderbird
Version : 1:140.12.0esr-1~deb11u1 1:140.12.0esr-1~deb12u1
CVE ID : CVE-2026-12289 CVE-2026-12290 CVE-2026-12291 CVE-2026-12292
CVE-2026-12294 CVE-2026-12295 CVE-2026-12296 CVE-2026-12297
CVE-2026-12298 CVE-2026-12299 CVE-2026-12302 CVE-2026-12304
CVE-2026-12305 CVE-2026-12306 CVE-2026-12307 CVE-2026-12308
CVE-2026-12309 CVE-2026-12310 CVE-2026-12311 CVE-2026-12312
CVE-2026-12313 CVE-2026-12314 CVE-2026-12315 CVE-2026-12324
CVE-2026-12325 CVE-2026-12327 CVE-2026-12328 CVE-2026-12329
CVE-2026-12330

Multiple security issues were discovered in Thunderbird, which could
result in the execution of arbitrary code.

For Debian 11 bullseye, these problems have been fixed in version
1:140.12.0esr-1~deb11u1.

For Debian 12 bookworm, these problems have been fixed in version
1:140.12.0esr-1~deb12u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4635-1] firefox-esr security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4635-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
June 19, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : firefox-esr
Version : 140.12.0esr-1~deb11u1 140.12.0esr-1~deb12u1
CVE ID : CVE-2026-12289 CVE-2026-12290 CVE-2026-12291 CVE-2026-12292
CVE-2026-12294 CVE-2026-12295 CVE-2026-12296 CVE-2026-12297
CVE-2026-12298 CVE-2026-12299 CVE-2026-12302 CVE-2026-12304
CVE-2026-12305 CVE-2026-12306 CVE-2026-12307 CVE-2026-12308
CVE-2026-12309 CVE-2026-12310 CVE-2026-12311 CVE-2026-12312
CVE-2026-12313 CVE-2026-12314 CVE-2026-12315 CVE-2026-12324
CVE-2026-12325 CVE-2026-12327 CVE-2026-12328 CVE-2026-12329
CVE-2026-12330

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code, bypass of the same-origin policy, privilege escalation,
information disclosure, spoofing or sandbox escape.

For Debian 11 bullseye, these problems have been fixed in version
140.12.0esr-1~deb11u1.

For Debian 12 bookworm, these problems have been fixed in version
140.12.0esr-1~deb12u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4637-1] libconfig-inifiles-perl security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4637-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Salvatore Bonaccorso
June 19, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : libconfig-inifiles-perl
Version : 3.000003-1+deb11u1 3.000003-2+deb12u1
CVE ID : CVE-2026-11527

A flaw was discovered in libconfig-inifiles-perl, a Perl module to read
.ini-style configuration files, which may result in the execution of
arbitrary shell commands or file overwrite when processing specially
crafted file names.

For Debian 11 bullseye, this problem has been fixed in version
3.000003-1+deb11u1.

For Debian 12 bookworm, this problem has been fixed in version
3.000003-2+deb12u1.

We recommend that you upgrade your libconfig-inifiles-perl packages.

For the detailed security status of libconfig-inifiles-perl please refer
to its security tracker page at:
https://security-tracker.debian.org/tracker/libconfig-inifiles-perl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6354-1] libconfig-inifiles-perl security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6354-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 19, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libconfig-inifiles-perl
CVE ID : CVE-2026-11527

A flaw was discovered in libconfig-inifiles-perl, a Perl module to read
.ini-style configuration files, which may result in the execution of
arbitrary shell commands or file overwrite when processing specially
crafted file names.

For the stable distribution (trixie), this problem has been fixed in
version 3.000003-3+deb13u1.

We recommend that you upgrade your libconfig-inifiles-perl packages.

For the detailed security status of libconfig-inifiles-perl please refer
to its security tracker page at:
https://security-tracker.debian.org/tracker/libconfig-inifiles-perl

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6353-1] gst-libav1.0 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6353-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 19, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : gst-libav1.0
CVE ID : CVE-2026-52717

It was discovered that incorrect memory management in the ffmpeg plugin
for GStreamer could result in heap memory corruption.

For the stable distribution (trixie), this problem has been fixed in
version 1.26.2-1+deb13u1.

We recommend that you upgrade your gst-libav1.0 packages.

For the detailed security status of gst-libav1.0 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gst-libav1.0

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/