Debian issued a series of security advisories to patch critical flaws across several widely used software packages. The updates address vulnerabilities in Thunderbird, GnuTLS, libgcrypt20, Atril, Kerberos, haveged, Evince, and HAProxy that could allow attackers to execute arbitrary code or bypass authentication controls. Additional risks include denial of service conditions, local privilege escalation, and HTTP request smuggling caused by improperly validated network inputs. System administrators should upgrade these packages immediately to close the identified security gaps across Debian stable distributions.

[DLA 4594-1] thunderbird security update
[DLA 4595-1] gnutls28 security update
[DSA 6294-1] libgcrypt20 security update
[DLA 4597-1] atril security update
[DSA 6293-1] krb5 security update
[DSA 6292-1] haveged security update
[DLA 4596-1] evince security update
[DSA 6291-1] haproxy security update

[SECURITY] [DLA 4594-1] thunderbird security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4594-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
May 22, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : thunderbird
Version : 1:140.11.0esr-1~deb11u1
CVE ID : CVE-2026-8388 CVE-2026-8391 CVE-2026-8401 CVE-2026-8946
CVE-2026-8947 CVE-2026-8950 CVE-2026-8953 CVE-2026-8954
CVE-2026-8955 CVE-2026-8956 CVE-2026-8957 CVE-2026-8958
CVE-2026-8961 CVE-2026-8962 CVE-2026-8968 CVE-2026-8970
CVE-2026-8974 CVE-2026-8975

Multiple security issues were discovered in Thunderbird, which could
result in the execution of arbitrary code.

For Debian 11 bullseye, these problems have been fixed in version
1:140.11.0esr-1~deb11u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4595-1] gnutls28 security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4595-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
May 22, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : gnutls28
Version : 3.7.1-5+deb11u10
CVE ID : CVE-2026-3833 CVE-2026-5260 CVE-2026-33845 CVE-2026-33846
CVE-2026-42009 CVE-2026-42010 CVE-2026-42011 CVE-2026-42012
CVE-2026-42013 CVE-2026-42014 CVE-2026-42015
Debian Bug : 1135319

Multiple vulnerabilities were found in GnuTLS, a portable library which
implements the Transport Layer Security and Datagram Transport Layer
Security protocols, which may lead to constraint bypass, denial of
service, information disclosure, authentication bypass or potentially
execution of arbitrary code.

CVE-2026-3833

Oleh Konko and Joshua Rogers independently discovered that domain
name comparison during name constraints processing was
case-sensitive, thereby violating RFC 5280 § 7.2. For excluded name
constraints, this could lead to incorrectly accepting domain names
that should've been rejected.

CVE-2026-5260

Joshua Rogers discovered that for a server using an RSA key backed
by a PKCS#11 token, a client sending an extremely short premaster
secret during an RSA key exchange could trigger a short heap
overread.

CVE-2026-33845

Joshua Rogers a remotely triggerable underflow in the DTLS
reassembly code leading to a heap overrun.

CVE-2026-33846

Haruto Kimura, Oscar Reparaz and Zou Dikai independently discovered
that GnuTLS failed to properly check that DTLS fragments claimed a
consistent message_length value, and that a missing bound check on
the array was missing, enabling an attacker to cause a heap
overwrite.

CVE-2026-42009

Joshua Rogers discovered that the comparator function used for
ordering DTLS packets by sequence numbers did not follow qsort
comparator contracts in case of packets with duplicate sequence
numbers, which could lead to undefined behaviour.

CVE-2026-42010

Joshua Rogers discovered that servers configured with RSA-PSK
wrongfully matched usernames with NUL character in them to ones
truncated to NUL character, which could lead to an authentication
bypass.

CVE-2026-42011

Haruto Kimura discovered that permitted name constraints were
wrongfully ignored when prior CAs only had excluded name
constraints, resulting in a name constraint bypass.

CVE-2026-42012

Oleh Konko discovered that certificates containing URI or SRV
Subject Alternative Names would fall back to checking DNS hostnames
against Common Name, allowing potential misuse of such certificates
beyond their original purpose.

CVE-2026-42013

Haruto Kimura and Joshua Rogers independently discovered that
validation of certificates with oversized Subject Alternative Names
would fall back to checking DNS hostnames against Common Name.

CVE-2026-42014

Luigino Camastra and Joshua Rogers discovered that changing the
Security Officer PIN with `gnutls_pkcs11_token_set_pin()` with
`oldpin == NULL` for a token lacking a protected authentication path
led to a use-after-free.

CVE-2026-42015

Zou Dikai discovered that appending to a PKCS#12 bag that already
contained 32 elements could write past the bag's internal array.

This update also fixes additional security issues for which no CVE ID
was assigned yet:

Joshua Rogers discovered that rehandshaking to a username with
embedded NUL character could theoretically allow bypassing the
`GNUTLS_ALLOW_ID_CHANGE` protection.

Joshua Rogers discovered that the OCSP signing EKU OID was compared
without verifying its length, allowing a shorter OID that shares the
same prefix to match.

Haruto Kimura discovered a possible invalid pointer dereference in
the PKCS#11 trust removal error path.

Kamil Frankowicz discovered that `gnutls_privkey_verify_params()`
overlooked the scenario of `p` and `q` not being co-prime. It now
returns `GNUTLS_E_PK_INVALID_PRIVKEY` in this case.

Joshua Rogers discovered that if `gnutls_x509_crt_list_import_pkcs11()`
failed partway through, then the trust list cleanup code would try
to free already-deinitialized certificate entries, leading to a
double-free.

Kamil Frankowicz and Joshua Rogers idependently discovered that
insufficient bounds checking on the PEM header length could lead to
short heap overreads on specially crafted inputs.

For Debian 11 bullseye, these problems have been fixed in version
3.7.1-5+deb11u10.

We recommend that you upgrade your gnutls28 packages.

For the detailed security status of gnutls28 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gnutls28

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6294-1] libgcrypt20 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6294-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 22, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libgcrypt20
CVE ID : CVE-2026-41989

It was discovered that an incorrect implementation of ECDH encryption
(with NIST, Brainpool, X448, or X25519 curves) within Libgcrypt could
result in denial of service.

For the oldstable distribution (bookworm), this problem has been fixed
in version 1.10.1-3+deb12u1.

For the stable distribution (trixie), this problem has been fixed in
version 1.11.0-7+deb13u1.

We recommend that you upgrade your libgcrypt20 packages.

For the detailed security status of libgcrypt20 please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/libgcrypt20

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4597-1] atril security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4597-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andreas Henriksson
May 22, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : atril
Version : 1.24.0-1+deb11u2
CVE ID : CVE-2026-46529

It was discovered that atril, a simple multi-page document viewer, is
prone to a command injection vulnerability if a specially crafted PDF
file is opened.

For Debian 11 bullseye, this problem has been fixed in version
1.24.0-1+deb11u2.

We recommend that you upgrade your atril packages.

For the detailed security status of atril please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/atril

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6293-1] krb5 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6293-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 22, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : krb5
CVE ID : CVE-2026-40355
Debian Bug : 1135317

Cem Onat Karagun discovered two vulnerabilities in the NegoEx parsing in
krb5, the MIT implementation of Kerberos. An unauthenticated remote
attacker can take advantage of these flaws to cause a denial of service.

For the oldstable distribution (bookworm), this problem has been fixed
in version 1.20.1-2+deb12u5.

For the stable distribution (trixie), this problem has been fixed in
version 1.21.3-5+deb13u1.

We recommend that you upgrade your krb5 packages.

For the detailed security status of krb5 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/krb5

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6292-1] haveged security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6292-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 22, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : haveged
CVE ID : CVE-2026-41054
Debian Bug : 1137096

Dirk Mueller discovered that a flaw in the function performing a
credential check on the command socket of haveged, a userspace entropy
daemon, may result in local privilege escalation.

For the oldstable distribution (bookworm), this problem has been fixed
in version 1.9.14-1+deb12u1.

For the stable distribution (trixie), this problem has been fixed in
version 1.9.19-12+deb13u1.

We recommend that you upgrade your haveged packages.

For the detailed security status of haveged please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/haveged

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4596-1] evince security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4596-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andreas Henriksson
May 22, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : evince
Version : 3.38.2-1+deb11u1
CVE ID : CVE-2026-46529

It was discovered that evince, a simple multi-page document viewer, is
prone to a command injection vulnerability if a specially crafted PDF
file is opened.

For Debian 11 bullseye, this problem has been fixed in version
3.38.2-1+deb11u1.

We recommend that you upgrade your evince packages.

For the detailed security status of evince please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/evince

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6291-1] haproxy security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6291-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 22, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : haproxy
CVE ID : CVE-2026-33555

Martino Spagnuolo reported that the HTTP/3 parsing code in HAProxy, a
fast and reliable load balancing reverse proxy, does not properly
validate the received body size and the announced content-length header,
which may result in HTTP request smuggling.

For the stable distribution (trixie), this problem has been fixed in
version 3.0.11-1+deb13u3.

We recommend that you upgrade your haproxy packages.

For the detailed security status of haproxy please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/haproxy

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/