Debian issued a batch of security advisories and timezone updates for its LTS distributions. The tzdata package now incorporates the 2026b database, which shifts British Columbia to permanent standard time and refreshes its leap second records. Critical patches also addressed multiple vulnerabilities across several applications, ranging from buffer overflows in LibreOffice and integer overflow flaws in lcms2 to severe access control weaknesses in Prosody. Administrators should prioritize upgrading Chromium alongside these other tools since the browser update resolves dozens of critical issues that could allow arbitrary code execution or data leaks.

ELA-1712-1 libdatetime-timezone-perl new timezone database
ELA-1711-1 tzdata new timezone database
[DLA 4570-1] libdatetime-timezone-perl new timezone database
[DLA 4569-1] tzdata new timezone database
[DSA 6252-1] prosody security update
[DSA 6251-1] libreoffice security update
[DSA 6250-1] chromium security update
[DLA 4568-1] lcms2 security update

ELA-1712-1 libdatetime-timezone-perl new timezone database (by )

Package : libdatetime-timezone-perl

Version : 1:2.09-1+2026b (stretch), 1:2.23-1+2026b (buster)

This update includes the changes in tzdata 2026b for the Perl bindings.

ELA-1712-1 libdatetime-timezone-perl new timezone database (by )

ELA-1711-1 tzdata new timezone database (by )

Package : tzdata

Version : 2026b-0+deb9u1 (stretch), 2026b-0+deb10u1 (buster)

This update includes the changes in tzdata 2026b. Notable changes are:

British Columbia moved to permanent -07 on 2026-03-09, so it will not
fall back from -07 to -08 on 2026-11-01.
Updated leap second list, which was set to expire by the end of
June.

ELA-1711-1 tzdata new timezone database (by )

[SECURITY] [DLA 4570-1] libdatetime-timezone-perl new timezone database

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4570-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
May 07, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : libdatetime-timezone-perl
Version : 1:2.47-1+2026b

This update includes the changes in tzdata 2026b for the
Perl bindings. For the list of changes, see DLA-4569-1.

For Debian 11 bullseye, this problem has been fixed in version
1:2.47-1+2026b.

We recommend that you upgrade your libdatetime-timezone-perl packages.

For the detailed security status of libdatetime-timezone-perl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libdatetime-timezone-perl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4569-1] tzdata new timezone database

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4569-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
May 07, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : tzdata
Version : 2026b-0+deb11u1

This update includes the changes in tzdata 2026b. Notable changes are:

- - British Columbia moved to permanent -07 on 2026-03-09, so it will not
fall back from -07 to -08 on 2026-11-01.
- - Updated leap second list, which was set to expire by the end of
June.

For Debian 11 bullseye, this problem has been fixed in version
2026b-0+deb11u1.

We recommend that you upgrade your tzdata packages.

For the detailed security status of tzdata please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tzdata

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6252-1] prosody security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6252-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 07, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : prosody
CVE ID : CVE-2026-43504 CVE-2026-43505 CVE-2026-43506
CVE-2026-43507

Multiple security issues were found in Prosody, a lightweight
Jabber/XMPP server, which could result in denial of service or
insufficient access control when using the SOCKS5 proxy module.

For the oldstable distribution (bookworm), these problems have been fixed
in version 0.12.3-1+deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 13.0.1-1+deb131u.

We recommend that you upgrade your prosody packages.

For the detailed security status of prosody please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/prosody

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6251-1] libreoffice security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6251-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 07, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libreoffice
CVE ID : CVE-2026-4430

Dun Anh Nguyen discovered a buffer overflow in LibreOffice, which could
result in an out-of-bounds write if OOXML documents with malformed
encryption parameters are opened.

For the oldstable distribution (bookworm), this problem has been fixed
in version 4:7.4.7-1+deb12u11.

For the stable distribution (trixie), this problem has been fixed in
version 4:25.2.3-2+deb13u4.

We recommend that you upgrade your libreoffice packages.

For the detailed security status of libreoffice please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libreoffice

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6250-1] chromium security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6250-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
May 07, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium
CVE ID : CVE-2026-7896 CVE-2026-7897 CVE-2026-7898 CVE-2026-7899
CVE-2026-7900 CVE-2026-7901 CVE-2026-7902 CVE-2026-7903
CVE-2026-7904 CVE-2026-7905 CVE-2026-7906 CVE-2026-7907
CVE-2026-7908 CVE-2026-7909 CVE-2026-7910 CVE-2026-7911
CVE-2026-7912 CVE-2026-7913 CVE-2026-7914 CVE-2026-7915
CVE-2026-7916 CVE-2026-7917 CVE-2026-7918 CVE-2026-7919
CVE-2026-7920 CVE-2026-7921 CVE-2026-7922 CVE-2026-7923
CVE-2026-7924 CVE-2026-7925 CVE-2026-7926 CVE-2026-7927
CVE-2026-7928 CVE-2026-7929 CVE-2026-7930 CVE-2026-7931
CVE-2026-7932 CVE-2026-7933 CVE-2026-7934 CVE-2026-7935
CVE-2026-7936 CVE-2026-7937 CVE-2026-7938 CVE-2026-7939
CVE-2026-7940 CVE-2026-7941 CVE-2026-7942 CVE-2026-7943
CVE-2026-7944 CVE-2026-7945 CVE-2026-7946 CVE-2026-7947
CVE-2026-7948 CVE-2026-7949 CVE-2026-7950 CVE-2026-7951
CVE-2026-7952 CVE-2026-7953 CVE-2026-7954 CVE-2026-7955
CVE-2026-7956 CVE-2026-7957 CVE-2026-7958 CVE-2026-7959
CVE-2026-7960 CVE-2026-7961 CVE-2026-7962 CVE-2026-7963
CVE-2026-7964 CVE-2026-7965 CVE-2026-7966 CVE-2026-7967
CVE-2026-7968 CVE-2026-7969 CVE-2026-7970 CVE-2026-7971
CVE-2026-7972 CVE-2026-7973 CVE-2026-7974 CVE-2026-7975
CVE-2026-7976 CVE-2026-7977 CVE-2026-7978 CVE-2026-7979
CVE-2026-7980 CVE-2026-7981 CVE-2026-7982 CVE-2026-7983
CVE-2026-7984 CVE-2026-7985 CVE-2026-7986 CVE-2026-7987
CVE-2026-7988 CVE-2026-7989 CVE-2026-7990 CVE-2026-7991
CVE-2026-7992 CVE-2026-7993 CVE-2026-7994 CVE-2026-7995
CVE-2026-7996 CVE-2026-7997 CVE-2026-7998 CVE-2026-7999
CVE-2026-8000 CVE-2026-8001 CVE-2026-8002 CVE-2026-8003
CVE-2026-8004 CVE-2026-8005 CVE-2026-8006 CVE-2026-8007
CVE-2026-8008 CVE-2026-8009 CVE-2026-8010 CVE-2026-8011
CVE-2026-8012 CVE-2026-8013 CVE-2026-8014 CVE-2026-8015
CVE-2026-8016 CVE-2026-8017 CVE-2026-8018 CVE-2026-8019
CVE-2026-8020 CVE-2026-8021 CVE-2026-8022

Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.

For the oldstable distribution (bookworm), these problems have been fixed
in version 148.0.7778.96-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 148.0.7778.96-1~deb13u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4568-1] lcms2 security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4568-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
May 06, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : lcms2
Version : 2.8-4+deb9u2
CVE ID : CVE-2026-41254
Debian Bug : 1134335

It was discovered that there was an integer overflow vulnerability in
lcms2, aka Little CMS.

For Debian 11 bullseye, this problem has been fixed in version
2.8-4+deb9u2.

We recommend that you upgrade your lcms2 packages.

For the detailed security status of lcms2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/lcms2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS