[DSA 6304-1] unbound security update
[DSA 6303-1] varnish security update
[DSA 6302-1] starlette security update
[DSA 6301-1] roundcube security update
ELA-1736-1 erlang security update (by )
[SECURITY] [DSA 6304-1] unbound security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6304-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 27, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : unbound
CVE ID : CVE-2026-33278 CVE-2026-42944 CVE-2026-42959
CVE-2026-32792 CVE-2026-40622 CVE-2026-41292
CVE-2026-42534 CVE-2026-42923 CVE-2026-42960
CVE-2026-44390 CVE-2026-44608
Multiple security vulnerabilities were discovered in Unbound, a
validating, recursive, caching DNS resolver, which could result
in denial of service, cache poisoning or potentially the execution
of arbitrary code.
For the stable distribution (trixie), this problem has been fixed in
version 1.22.0-2+deb13u3.
We recommend that you upgrade your unbound packages.
For the detailed security status of unbound please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/unbound
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 6303-1] varnish security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6303-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 27, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : varnish
CVE ID : CVE-2025-8671
Two security issues were discovered in the the Varnish web accelerator,
which could result in cache poisoning or authentication bypass.
For the stable distribution (trixie), this problem has been fixed in
version 7.7.0-3+deb13u1.
We recommend that you upgrade your varnish packages.
For the detailed security status of varnish please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/varnish
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 6302-1] starlette security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6302-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 27, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : starlette
CVE ID : CVE-2026-48710
It was discovered that missing validation of Host: headers in the
Starlette ASGI framework could result in a bypass of security checks.
For the oldstable distribution (bookworm), this problem has been fixed
in version 0.26.1-1+deb12u1. This update also resolves three additional
security issues (CVE-2023-29159, CVE-2024-47874 and CVE-2025-54121).
For the stable distribution (trixie), this problem has been fixed in
version 0.46.1-3+deb13u2.
We recommend that you upgrade your starlette packages.
For the detailed security status of starlette please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/starlette
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 6301-1] roundcube security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6301-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 27, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : roundcube
CVE ID : CVE-2026-48842 CVE-2026-48843 CVE-2026-48844 CVE-2026-48845
CVE-2026-48846 CVE-2026-48847 CVE-2026-48848 CVE-2026-48849
Multiple security vulnerabilities were discovered in RoundCube Webmail,
which could result in cross-site scripting, SQL injection, SSRF bypass,
information disclosure, denial of service or code injection.
For the oldstable distribution (bookworm), these problems have been fixed
in version 1.6.5+dfsg-1+deb12u9.
For the stable distribution (trixie), these problems have been fixed in
version 1.6.16+dfsg-0+deb13u1.
We recommend that you upgrade your roundcube packages.
For the detailed security status of roundcube please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/roundcube
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
ELA-1736-1 erlang security update (by )
Package : erlang
Version : 1:19.2.1+dfsg-2+really23.3.4.18-0+deb9u6 (stretch), 1:22.2.7+dfsg-1+deb10u5 (buster)
Related CVEs :
CVE-2026-21620
CVE-2026-23941
CVE-2026-23942
CVE-2026-23943
Multiple vulnerabilities were discoverd in Erlang, a concurrent, real-time,
distributed functional language.
CVE-2026-21620
Insufficient path sanitizing in tftp_file module.
CVE-2026-23941
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
vulnerability in Erlang OTP (inets httpd module) allows HTTP Request
Smuggling.
CVE-2026-23942
Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal') vulnerability in Erlang OTP (ssh_sftpd module) allows Path
Traversal.
CVE-2026-23943
Improper Handling of Highly Compressed Data (Compression Bomb)
vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of
Service via Resource Depletion.ELA-1736-1 erlang security update (by )
