Security

Several security vulnerabilities have been found in Tomcat 10, a Java web server and servlet engine. This update improves the handling of HTTP/2 connections and corrects various flaws which can lead to uncontrolled resource consumption and a denial of service.

https://security-tracker.debian.org/tracker/DSA-6120-1

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in incorrect certificate validation, CRLF injection or man-in-the-middle attacks.

https://security-tracker.debian.org/tracker/DSA-6119-1

A security issue was discovered in Thunderbird, which could result in information disclosure

https://security-tracker.debian.org/tracker/DSA-6118-1

Multiple security issues were found in Django, a Python web development framework, which could result in SQL injection, directory traversal or denial of service.

https://security-tracker.debian.org/tracker/DSA-6117-1

A security issue was discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-6116-1

A buffer overflow was discovered in GIMP, the GNU Image Manipulation Program, which could result in denial of service or potentially the execution of arbitrary code if malformed PSP images are opened.

https://security-tracker.debian.org/tracker/DSA-6115-1

It was discovered that pyasn1, a generic ASN.1 library for Python, is prone to a denial of service vulnerability, which may result in memory exhaustion from malformed OID/RELATIVE-OID with excessive continuation octets.

https://security-tracker.debian.org/tracker/DSA-6114-1

Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit, which may result in denial of service, information leaks, or potentially remote code execution.

Additional details can be found in the upstream advisory: https://openssl-library.org/news/secadv/20260127.txt

https://security-tracker.debian.org/tracker/DSA-6113-1

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in incorrect certificate validation, CRLF injection or man-in-the-middle attacks.

https://security-tracker.debian.org/tracker/DSA-6112-1

This update fixes multiple vulnerabilities in Imagemagick, which could result in denial of service via MSL scripts or potentially the execution of arbitrary code if malformed XBM images are processed.

https://security-tracker.debian.org/tracker/DSA-6111-1

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in incorrect certificate validation, CRLF injection or man-in-the-middle attacks.

https://security-tracker.debian.org/tracker/DSA-6110-1

Two security issues were discovered in Incus, a system container and virtual machine manager, which could result the in execution of arbitrary commands via malformed images.

https://security-tracker.debian.org/tracker/DSA-6109-1

The update for python-urllib3 announced in DSA 6102-1 introduced a regression in the patch meant to address CVE-2026-21441 for the oldstable distribution (bookworm). Updated packages are now available to correct this issue.

https://security-tracker.debian.org/tracker/DSA-6102-2

A security issue was discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-6108-1

Vlatko Kosturjak discovered that BIND, a DNS server implementation, does not properly handle malformed BRID/HHIT records, which may result in denial of service (named daemon crash).

https://security-tracker.debian.org/tracker/DSA-6107-1

Kyu Neushwaistein discovered that telnetd from inetutils does not sanitize the USER environment variable before passing it on to login. A remote attacker can take advantage of this flaw to login as root, bypassing normal authentication processes.

https://security-tracker.debian.org/tracker/DSA-6106-1

It was discovered that one of the rules in the OWASP ModSecurity Core Rule Set parsed some multipart requests incorrectly.

https://security-tracker.debian.org/tracker/DSA-6105-1

Grzegorz Grasza discovered a vulnerability in the Openstack middleware to provide authentication and authorization features to web services other than Keystone: If an external OAuth provider is configured, authentication headers are insufficiently sanitised, which could result in privilege escalation or user impersonation.

The oldstable distribution (bookworm) is not affected.

https://security-tracker.debian.org/tracker/DSA-6104-1

Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code.

https://security-tracker.debian.org/tracker/DSA-6103-1

Several vulnerabilities were discovered in python-urllib3, a HTTP library with thread-safe connection pooling for Python3, which could result in denial of service or request forgery.

https://security-tracker.debian.org/tracker/DSA-6102-1