The Debian Project has released four separate security advisories regarding vulnerabilities in Thunderbird and Firefox ESR. These patches address issues that could potentially allow arbitrary code execution or information disclosure depending on the specific software affected. Users running older distributions like bullseye need to update immediately while those on bookworm and trixie should also apply the recommended upgrades for the affected packages.

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4511-1] thunderbird security update
[DLA 4510-1] firefox-esr security update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6180-1] ruby-rack security update
[DSA 6179-1] thunderbird security update

[SECURITY] [DLA 4511-1] thunderbird security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4511-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
March 26, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : thunderbird
Version : 1:140.9.0esr-1~deb11u1
CVE ID : CVE-2025-59375 CVE-2026-3889 CVE-2026-4371 CVE-2026-4684
CVE-2026-4685 CVE-2026-4686 CVE-2026-4687 CVE-2026-4688
CVE-2026-4689 CVE-2026-4690 CVE-2026-4691 CVE-2026-4692
CVE-2026-4693 CVE-2026-4694 CVE-2026-4695 CVE-2026-4696
CVE-2026-4697 CVE-2026-4698 CVE-2026-4699 CVE-2026-4700
CVE-2026-4701 CVE-2026-4702 CVE-2026-4704 CVE-2026-4705
CVE-2026-4706 CVE-2026-4707 CVE-2026-4708 CVE-2026-4709
CVE-2026-4710 CVE-2026-4713 CVE-2026-4714 CVE-2026-4715
CVE-2026-4716 CVE-2026-4717 CVE-2026-4718 CVE-2026-4719
CVE-2026-4720 CVE-2026-4721

Multiple security issues were discovered in Thunderbird, which could
result in the execution of arbitrary code or information disclosure.

For Debian 11 bullseye, these problems have been fixed in version
1:140.9.0esr-1~deb11u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4510-1] firefox-esr security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4510-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
March 26, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : firefox-esr
Version : 140.9.0esr-1~deb11u1
CVE ID : CVE-2025-59375 CVE-2026-4684 CVE-2026-4685 CVE-2026-4686
CVE-2026-4687 CVE-2026-4688 CVE-2026-4689 CVE-2026-4690
CVE-2026-4691 CVE-2026-4692 CVE-2026-4693 CVE-2026-4694
CVE-2026-4695 CVE-2026-4696 CVE-2026-4697 CVE-2026-4698
CVE-2026-4699 CVE-2026-4700 CVE-2026-4701 CVE-2026-4702
CVE-2026-4704 CVE-2026-4705 CVE-2026-4706 CVE-2026-4707
CVE-2026-4708 CVE-2026-4709 CVE-2026-4710 CVE-2026-4713
CVE-2026-4714 CVE-2026-4715 CVE-2026-4716 CVE-2026-4717
CVE-2026-4718 CVE-2026-4719 CVE-2026-4720 CVE-2026-4721

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code, sandbox escape, information disclosure, denial of service or
privilege escalation.

For Debian 11 bullseye, these problems have been fixed in version
140.9.0esr-1~deb11u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6180-1] ruby-rack security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6180-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 26, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ruby-rack
CVE ID : CVE-2026-22860 CVE-2026-25500

Two security issues (cross-site scripting and directory traversal) were
found in Rack, an interface for developing web applications in Ruby.

For the oldstable distribution (bookworm), these problems have been fixed
in version 2.2.22-0+deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 3.1.20-0+deb13u1.

We recommend that you upgrade your ruby-rack packages.

For the detailed security status of ruby-rack please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-rack

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6179-1] thunderbird security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6179-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 26, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : thunderbird
CVE ID : CVE-2025-59375 CVE-2026-3889 CVE-2026-4371 CVE-2026-4684
CVE-2026-4685 CVE-2026-4686 CVE-2026-4687 CVE-2026-4688
CVE-2026-4689 CVE-2026-4690 CVE-2026-4691 CVE-2026-4692
CVE-2026-4693 CVE-2026-4694 CVE-2026-4695 CVE-2026-4696
CVE-2026-4697 CVE-2026-4698 CVE-2026-4699 CVE-2026-4700
CVE-2026-4701 CVE-2026-4702 CVE-2026-4704 CVE-2026-4705
CVE-2026-4706 CVE-2026-4707 CVE-2026-4708 CVE-2026-4709
CVE-2026-4710 CVE-2026-4713 CVE-2026-4714 CVE-2026-4715
CVE-2026-4716 CVE-2026-4717 CVE-2026-4718 CVE-2026-4719
CVE-2026-4720 CVE-2026-4721

Multiple security issues were discovered in Thunderbird, which could
result in the execution of arbitrary code or information disclosure.

For the oldstable distribution (bookworm), these problems have been
fixed in version 1:140.9.0esr-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 1:140.9.0esr-1~deb13u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/