Debian system administrators should immediately apply security patches for Tomcat 10, Tomcat 11, Jackson Core, libxml2, and Keystone to address numerous critical vulnerabilities. Attackers could exploit these flaws to bypass authorization controls, expose sensitive data, or trigger denial of service conditions through malicious XML and JSON inputs. Fixed package versions are now available across both stable and extended maintenance releases, though upgrading related libraries might be necessary to prevent build failures. System operators must verify their current software versions and follow the official Debian tracking pages to ensure all identified CVEs are properly resolved on their servers.

[DSA 6329-1] tomcat11 security update
[DSA 6328-1] tomcat10 security update
[DLA 4623-1] jackson-core security update
[DLA 4622-1] libxml2 security update
[DSA 6331-1] keystone security update

[SECURITY] [DSA 6329-1] tomcat11 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6329-1 security@debian.org
https://www.debian.org/security/ Markus Koschany
June 08, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : tomcat11
CVE ID : CVE-2026-24734 CVE-2026-24880 CVE-2026-25854 CVE-2026-29129
CVE-2026-29145 CVE-2026-29146 CVE-2026-32990 CVE-2026-34483
CVE-2026-34487 CVE-2026-34500 CVE-2026-41284 CVE-2026-41293
CVE-2026-42498 CVE-2026-43512 CVE-2026-43513 CVE-2026-43514
CVE-2026-43515

Multiple security vulnerabilities have been discovered in Tomcat 11, a Java
based web server, servlet and JSP engine which may result in a denial of
service, authentication bypass or the disclosure of sensitive information.

Although we are not aware of any problems, new upstream versions may introduce
new options, limits or code changes which may or may not affect your existing
web applications. We recommend to consult the Tomcat 11 documentation for
further information.

For the stable distribution (trixie), these problems have been fixed in
version 11.0.22-1~deb13u1.

We recommend that you upgrade your tomcat11 packages.

For the detailed security status of tomcat11 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tomcat11

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6328-1] tomcat10 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6328-1 security@debian.org
https://www.debian.org/security/ Markus Koschany
June 08, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : tomcat10
CVE ID : CVE-2026-24880 CVE-2026-25854 CVE-2026-29129 CVE-2026-29145
CVE-2026-29146 CVE-2026-32990 CVE-2026-34483 CVE-2026-34487
CVE-2026-34500 CVE-2026-41284 CVE-2026-41293 CVE-2026-42498
CVE-2026-43512 CVE-2026-43513 CVE-2026-43514 CVE-2026-43515

Multiple security vulnerabilities have been discovered in Tomcat 10, a Java
based web server, servlet and JSP engine which may result in a denial of
service, authentication bypass or the disclosure of sensitive information.

Although we are not aware of any problems, new upstream versions may introduce
new options, limits or code changes which may or may not affect your existing
web applications. We recommend to consult the Tomcat 10 documentation for
further information.

For the oldstable distribution (bookworm), these problems have been fixed
in version 10.1.55-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 10.1.55-1~deb13u1.

We recommend that you upgrade your tomcat10 packages.

For the detailed security status of tomcat10 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tomcat10

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4623-1] jackson-core security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4623-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
June 08, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : jackson-core
Version : 2.14.1-2~deb11u1
CVE ID : CVE-2025-49128 CVE-2025-52999
Debian Bug : 1108367

Two security vulnerabilities have been found in jackson-core, a fast and
powerful JSON library for Java, which may allow an attacker to cause a denial
of service by using deeply nested JSON data or disclose sensitive information
by abusing a flaw in how certain exception messages are handled in jackson-
core.

Please note that related and complementary jackson-* packages like jackson-
databind or the jackson-dataformat-* packages had to be upgraded as well in
order to fix build failures caused by the newer upstream release of jackson-
core.

For Debian 11 bullseye, these problems have been fixed in version
2.14.1-2~deb11u1.

We recommend that you upgrade your jackson-* packages.

For the detailed security status of jackson-core please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jackson-core

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4622-1] libxml2 security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4622-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
June 08, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : libxml2
Version : 2.9.10+dfsg-6.7+deb11u10
CVE ID : CVE-2025-8732 CVE-2026-0989 CVE-2026-0990 CVE-2026-0992
CVE-2026-1757
Debian Bug : 1125691 1125695 1125696

Multiple security issues were found in libxml2, the GNOME XML library,
which could lead to Denial of Service.

CVE-2025-8732

Catalog parsing functions were missing cycle detection. When a
catalog file contains a CATALOG directive pointing to itself,
`xmlExpandCatalog()` and `xmlParseSGMLCatalog()` recursively call
each other without bounds until stack overflow.

CVE-2026-0989

The RelaxNG parser does not limit the recursion depth when resolving
`` directives, which may lead to stack overflow on
malicious RelaxNG schema file.

CVE-2026-0990

Nick Wellnhofer discovered that `xmlCatalogXMLResolveURI()` will
recurse infinitely if a catalog has a URI delegate referencing
itself, eventually resulting in a call stack overflow.

CVE-2026-0992

Nick Wellnhofer discovered that processing a chain of XML catalogs
linked with `` and having the `` element
takes exponential time, leading to denial of service via resource
exhaustion.

CVE-2026-1757

The command parsing logic of the xmllint(1) interactive shell was
found to leak memory.

In addition, a few other security issues were found for which no CVE ID
was assigned yet:

* Memory leak of prefix in `xmlTextWriterStartElementNS()`.

* Potential use-after-free issue in `xmlRelaxNGValidateValue()`.

* Memory leak in `xmlTextWriterStartAttributeNS()`.

* Additional memory leaks on error paths in schematron.

* Stack overflow from self-referencing SGML CATALOG entries.

For Debian 11 bullseye, these problems have been fixed in version
2.9.10+dfsg-6.7+deb11u10.

We recommend that you upgrade your libxml2 packages.

For the detailed security status of libxml2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libxml2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6331-1] keystone security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6331-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 08, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : keystone
CVE ID : CVE-2026-42998 CVE-2026-42999 CVE-2026-43000
CVE-2026-43001 CVE-2026-44394

Multiple vulnerabilities were discovered in Keystone, the OpenStack
identity service, which may result in authorisation bypass, privilege
escalation, user impersonation or incomplete termination of access
privileges.

For the oldstable distribution (bookworm), these problems have been fixed
in version 2:22.0.2-0+deb12u3. This update also include two fixes
already uploaded to be included in the final Bookworm point release
(CVE-2026-40683, CVE-2026-33551).

For the stable distribution (trixie), these problems have been fixed in
version 2:27.0.0-3+deb13u4. This update also include two fixes
already uploaded to be included in the next Trixie point release
(CVE-2026-40683, CVE-2026-33551).

We recommend that you upgrade your keystone packages.

For the detailed security status of keystone please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/keystone

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/