Debian has released two security updates: DSA-6103-1 for Thunderbird and DSA-6102-1 for Python-urllib3 for Debian GNU/Linux 12 (Bookworm) and 13 (Trixie). These updates address multiple vulnerabilities that could result in arbitrary code execution or denial of service. Additionally, ELA-1615-1 is a security update for Tomcat 9 on Debian GNU/Linux 10 (Buster) ELTS, which fixes several security issues related to HTTP/2 connections and resource consumption. The update includes notable changes such as hardened AJP connector settings and deprecated filters, and users are advised to upgrade their packages to ensure security.

[DSA 6103-1] thunderbird security update
[DSA 6102-1] python-urllib3 security update
ELA-1615-1 tomcat9 security update

[SECURITY] [DSA 6103-1] thunderbird security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6103-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 17, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : thunderbird
CVE ID : CVE-2025-14327 CVE-2026-0877 CVE-2026-0878 CVE-2026-0879
CVE-2026-0880 CVE-2026-0882 CVE-2026-0883 CVE-2026-0884
CVE-2026-0885 CVE-2026-0886 CVE-2026-0887 CVE-2026-0890
CVE-2026-0891

Multiple security issues were discovered in Thunderbird, which could
result in the execution of arbitrary code.

For the oldstable distribution (bookworm), these problems have been fixed
in version 1:140.7.0esr-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 1:140.7.0esr-1~deb13u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6102-1] python-urllib3 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6102-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 17, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : python-urllib3
CVE ID : CVE-2025-50181 CVE-2025-66418 CVE-2026-21441
Debian Bug : 1108076 1122030 1125062

Several vulnerabilities were discovered in python-urllib3, a HTTP
library with thread-safe connection pooling for Python3, which could
result in denial of service or request forgery.

For the oldstable distribution (bookworm), these problems have been fixed
in version 1.26.12-1+deb12u2.

For the stable distribution (trixie), these problems have been fixed in
version 2.3.0-3+deb13u1.

We recommend that you upgrade your python-urllib3 packages.

For the detailed security status of python-urllib3 please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/python-urllib3

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

ELA-1615-1 tomcat9 security update

Package : tomcat9
Version : 9.0.107-0+deb10u1 (buster)

Related CVEs :
CVE-2024-34750
CVE-2024-54677
CVE-2025-31650
CVE-2025-31651
CVE-2025-46701
CVE-2025-48976
CVE-2025-48988
CVE-2025-49125
CVE-2025-52434
CVE-2025-52520
CVE-2025-53506
CVE-2025-55668

Several security vulnerabilities have been found in Tomcat 9, a Java
web server and servlet engine. Most notably the update improves the
handling of HTTP/2 connections and corrects various flaws which can lead to
uncontrolled resource consumption and a Denial of Service (DoS)
A risk analysis was carried out, and it was determined that the best
available solution was to backport the bullseye version of Tomcat to
buster. This decision means that upon installing this update users of
Tomcat in buster will be moving from a Tomcat version of 9.0.31
to 9.0.107.
Unfortunately, some minor incompatibilities may arise, as documented at the end of this advisory.

CVE-2024-34750

Tomcat was affected by an improper handling of exceptional conditions vulnerability.
Tomcat mishandled excessive HTTP/2 headers, causing stream miscounts and infinite
timeouts that allowed connections to remain open and trigger a denial of service.

CVE-2024-54677

Tomcat was affected by an uncontrolled resource consumption vulnerability.
Crafted requests to the bundled examples app could exhaust resources and lead to denial of service.

CVE-2025-31650

Tomcat was affected by an improper input validation vulnerability.
Invalid HTTP priority headers were not cleaned up correctly, causing memory leaks that could accumulate and result in an OutOfMemoryException and denial of service.

CVE-2025-31651

Tomcat was affected by an improper neutralization vulnerabiltiy.
Certain rewrite rule configurations allowed specially crafted requests to bypass rewrite rules, potentially bypassing associated security constraints.

CVE-2025-46701

Tomcat was affected by an improper handling of case sensitivity vulnerability.
The CGI servlet failed to correctly enforce case‑sensitive pathInfo checks, enabling attackers to bypass security constraints by altering URL casing.

CVE-2025-48976

Tomcat was affected by an allocation of resources without limits vulnerabilty.
Multipart headers could be crafted in large numbers to consume excessive memory, enabling Denial of Service (DoS).

CVE-2025-48988

Tomcat was affected by an allocation of resources without limits vulnerabilty.
Tomcat allowed multipart uploads with many large headers, enabling attackers to exhaust memory and cause Denial of Service (DoS)

CVE-2025-49125

Tomcat was affected by an authentication bypass vulnerability.
PreResources or PostResources mounted outside the root could be accessed through unexpected paths not protected by the intended security constraints, enabling bypass of authentication rules.

CVE-2025-52434

Tomcat was affected by a race condition.
Improper synchronization during client‑initiated HTTP/2 connection closes could trigger crashes in the APR/Native connector, leading to Denial of Service (DoS).

CVE-2025-52520

Tomcat was affected by an integer overflow.
Certain multipart upload configurations could trigger an integer overflow, allowing attackers to bypass size limits and cause Denial of Service (DoS)

CVE-2025-53506

Tomcat was affected by an uncontrolled resource consumption vulnerability.
If an HTTP/2 client failed to acknowledge the initial settings frame, Tomcat could allow excessive concurrent streams, resulting in Denial of Service (DoS)


To remediate vulnerabilities in the Tomcat 9 server stack,
an upgrade was performed instead of applying minimal patching.
The following notworthy changes where identified:

Hardened AJP connector: secretRequired
defaults to true. A workarround is to requires explicit config:
secretRequired=“false” or better from a security point of view
set a secret
Deprecated RemoteAddrFilter and RemoteHostFilter.
You may migrate to RemoteCIDRFilter and RemoteCIDRValve
Fix of Session ID propagation for SSO Valve.
This may break SSO.

ELA-1615-1 tomcat9 security update