Debian released a series of security advisories to patch critical flaws across several major software packages including Thunderbird, PostgreSQL versions fifteen and seventeen, Node.js, FFmpeg, Apache2, nghttp2, and gsasl. Attackers could exploit these weaknesses to execute arbitrary code, bypass authorization controls, trigger denial of service attacks, or leak sensitive information from vulnerable systems. The updates provide specific version numbers for Debian bookworm, trixie, and bullseye distributions while also correcting earlier release notes regarding certain Apache vulnerabilities. System administrators should upgrade their affected software immediately using the recommended package versions to maintain network security.

[DSA 6267-1] thunderbird security update
[DSA 6266-1] nghttp2 security update
[DSA 6271-1] gsasl security update
[DSA 6270-1] postgresql-17 security update
[DSA 6269-1] postgresql-15 security update
[DLA 4582-1] thunderbird security update
[DSA 6268-1] ffmpeg security update
[DSA 6272-1] nodejs security update
[ERRATUM] [DLA 4571-1] apache2 security update

[SECURITY] [DSA 6267-1] thunderbird security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6267-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 14, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : thunderbird
CVE ID : CVE-2026-8090 CVE-2026-8092 CVE-2026-8094

Multiple security issues were discovered in Thunderbird, which could
result in the execution of arbitrary code.

For the oldstable distribution (bookworm), these problems have been fixed
in version 1:140.10.2esr-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 1:140.10.2esr-1~deb13u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6266-1] nghttp2 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6266-1 security@debian.org
https://www.debian.org/security/ Aron Xu
May 14, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : nghttp2
CVE ID : CVE-2026-27135
Debian Bug : 1131369

It was discovered that nghttp2, an implementation of the HTTP/2 protocol,
could be crashed via an assertion failure. A remote attacker could exploit
this to cause a DoS attack by sending a malformed frame immediately
after triggering the termination path.

For the oldstable distribution (bookworm), this problem has been fixed
in version 1.52.0-1+deb12u3.

For the stable distribution (trixie), this problem has been fixed in
version 1.64.0-1.1+deb13u1.

We recommend that you upgrade your nghttp2 packages.

For the detailed security status of nghttp2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nghttp2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6271-1] gsasl security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6271-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 14, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : gsasl
CVE ID : not yet available

It was discovered that missing input sanitising in the DIGEST-MD5 parser
of the GNU SASL library could result in denial of service.

For the oldstable distribution (bookworm), this problem has been fixed
in version 2.2.0-1+deb12u1.

For the stable distribution (trixie), this problem has been fixed in
version 2.2.2-1.1+deb13u1.

We recommend that you upgrade your gsasl packages.

For the detailed security status of gsasl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gsasl

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6270-1] postgresql-17 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6270-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 14, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : postgresql-17
CVE ID : CVE-2026-6472 CVE-2026-6473 CVE-2026-6474 CVE-2026-6475
CVE-2026-6476 CVE-2026-6477 CVE-2026-6478 CVE-2026-6479
CVE-2026-6637 CVE-2026-6638

Multiple security issues were discovered in PostgreSQL, which may result
in authorisation bypass, execution of arbitrary code, information
disclosure, privilege escalation, SQL injection or denial of service.

For the stable distribution (trixie), these problems have been fixed in
version 17.10-0+deb13u1.

We recommend that you upgrade your postgresql-17 packages.

For the detailed security status of postgresql-17 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/postgresql-17

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6269-1] postgresql-15 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6269-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 14, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : postgresql-15
CVE ID : CVE-2026-6472 CVE-2026-6473 CVE-2026-6474 CVE-2026-6475
CVE-2026-6477 CVE-2026-6478 CVE-2026-6479 CVE-2026-6637

Multiple security issues were discovered in PostgreSQL, which may result
in authorisation bypass, execution of arbitrary code, information
disclosure, privilege escalation, SQL injection or denial of service.

For the oldstable distribution (bookworm), these problems have been fixed
in version 15.18-0+deb12u1.

We recommend that you upgrade your postgresql-15 packages.

For the detailed security status of postgresql-15 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/postgresql-15

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4582-1] thunderbird security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4582-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
May 14, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : thunderbird
Version : 1:140.10.2esr-1~deb11u1
CVE ID : CVE-2026-8090 CVE-2026-8092 CVE-2026-8094

Multiple security issues were discovered in Thunderbird, which could
result in the execution of arbitrary code.

For Debian 11 bullseye, these problems have been fixed in version
1:140.10.2esr-1~deb11u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6268-1] ffmpeg security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6268-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 14, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ffmpeg
CVE ID : not yet available

Several vulnerabilities have been discovered in the FFmpeg multimedia
framework, which could result in denial of service or potentially the
execution of arbitrary code if malformed files/streams are processed.

For the stable distribution (trixie), this problem has been fixed in
version 7:7.1.4-0+deb13u1.

We recommend that you upgrade your ffmpeg packages.

For the detailed security status of ffmpeg please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ffmpeg

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6272-1] nodejs security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6272-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 14, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : nodejs
CVE ID : CVE-2025-23085 CVE-2025-23166 CVE-2025-55131
CVE-2025-59465 CVE-2025-59466 CVE-2026-21710
CVE-2026-21713 CVE-2026-21714

Multiple vulnerabilities were discovered in Node.js, which could result
in denial of service or information disclosure.

For the oldstable distribution (bookworm), these problems have been fixed
in version 18.20.4+dfsg-1~deb12u2.

We recommend that you upgrade your nodejs packages.

For the detailed security status of nodejs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nodejs

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [ERRATUM] [SECURITY] [DLA 4571-1] apache2 security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4571-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
May 08, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : apache2
Version : 2.4.67-1~deb11u1
CVE ID : CVE-2026-24072 CVE-2026-28780 CVE-2026-29168 CVE-2026-29169
CVE-2026-33006 CVE-2026-33007 CVE-2026-33523 CVE-2026-33857
CVE-2026-34032 CVE-2026-34059
Debian Bug : 1135737

Multiple vulnerabilities have been discovered in the Apache HTTP server,
which may result in remote code execution, privilege escalation, denial
of service or information disclosure.

An erratum was issued because DLA???4571???1 incorrectly marked CVE???2026???28780
and CVE???2026???29168 as not fixed.

These two vulnerabilities are in fact addressed in version 2.4.67???1~deb11u1,
which includes the required security fixes.

Additionally, CVE???2026???23918 was marked as not affecting Bullseye, as the
vulnerable code is not present in any previously released Bullseye packages.
However, the updated package includes the fix for this issue as well,
even though it does not impact this release.

For Debian 11 bullseye, these problems have been fixed in version
2.4.67-1~deb11u1.

We recommend that you upgrade your apache2 packages.

For the detailed security status of apache2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/apache2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS