Debian Security

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-6177-1

Kazuma Matsumoto discovered an integer overflow bug in the EAP-TTLS plugin of strongSwan, an IKE/IPsec suite.

The EAP-TTLS plugin doesn't check the length field in the header of attribute-value pairs (AVPs) tunneled in EAP-TTLS, which can cause an integer underflow that may lead to a crash. An unauthenticated attacker could exploit this for a DoS attack by sending a crafted message.

https://security-tracker.debian.org/tracker/DSA-6176-1

Several vulnerabilities were discovered in libyaml-syck-perl, a Perl module providing a fast, lightweight YAML loader and dumper, which may result in denial of service and potentially arbitrary code execution.

https://security-tracker.debian.org/tracker/DSA-6175-1

Jul Blobul discovered that SPIP, a website engine for publishing, is prone to a privilege escalation vulnerability.

https://security-tracker.debian.org/tracker/DSA-6174-1

Louis Moureaux discovered that incorrect packet processing in the game server of Freeciv, a free clone of the turn based strategy game Civilization, could result in denial of service.

https://security-tracker.debian.org/tracker/DSA-6173-1

The following vulnerabilities have been discovered in the WebKitGTK web engine:

CVE-2025-43214

shandikri discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43457

Gary Kwong and Hossein Lotfi discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2025-43511

Lee Dong Ha discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2026-20608

HanQing and Nan Wang discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2026-20635

EntryHi discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2026-20636

EntryHi discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2026-20644

HanQing and Nan Wang discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2026-20652

Nathaniel Oh discovered that a remote attacker may be able to cause a denial-of-service.

CVE-2026-20676

Tom Van Goethem discovered that a website may be able to track users through web extensions.

https://security-tracker.debian.org/tracker/DSA-6172-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-6171-1

The Qualys Threat Research Unit (TRU) discovered a local privilege escalation vulnerability in snapd, a daemon and tooling that enable snap packages. Details can be found in the Qualys advisory at https://cdn2.qualys.com/advisory/2026/03/17/snap-confine-systemd-tmpfiles.txt

https://security-tracker.debian.org/tracker/DSA-6170-1

Multiple security vulnerabilities were discovered in imagemagick, a software suite used for editing and manipulating digital images, which could lead to symlink races, information leaks, denial of service and potentially arbitrary code execution.

https://security-tracker.debian.org/tracker/DSA-6169-1

It was discovered that an integer overflow in the Freetype font engine could result in information disclosure or denial of service.

The oldstable distribution (bookworm) is not affected.

https://security-tracker.debian.org/tracker/DSA-6168-1

An integer overflow was discovered in the RIFF parser of the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened.

https://security-tracker.debian.org/tracker/DSA-6167-1

Multiple vulnerabilities were discovered in Node.js, which could result in denial of service or information disclosure or bypass of file restrictions.

https://security-tracker.debian.org/tracker/DSA-6166-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. Google is aware that exploits for both CVEs exist in the wild.

https://security-tracker.debian.org/tracker/DSA-6165-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-6164-1

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

The Qualys Threat Research Unit (TRU) discovered several vulnerabilities in Apparmor. Details can be found in the Qualys advisory at https://www.qualys.com/2026/03/10/crack-armor.txt

https://security-tracker.debian.org/tracker/DSA-6163-1

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

The Qualys Threat Research Unit (TRU) discovered several vulnerabilities in Apparmor. Details can be found in the Qualys advisory at https://www.qualys.com/2026/03/10/crack-armor.txt

https://security-tracker.debian.org/tracker/DSA-6162-1

It was discovered that the parse_options_header() function of multipart, a Python multipart/form-data parser was susceptible to denial of service via malformed request headers or multipart/form-data streams.

https://security-tracker.debian.org/tracker/DSA-6161-1

Several security vulnerabilities have been discovered in Netty, a Java NIO client/server socket framework. It was found that Netty was vulnerable to the MadeYouReset DDoS attack, a logical vulnerability in the HTTP/2 protocol itself and programming errors which enabled request smuggling attacks. Additionally Netty contained an SMTP command injection vulnerability due to insufficient input validation potentially allowing remote attackers to forge arbitrary emails from trusted servers.

The security update for bookworm also contains the fix for CVE-2024-29025. Julien Viet discovered that Netty was vulnerable to allocation of resources without limits or throttling due to the accumulation of data in the HttpPostRequestDecoder. This would allow an attacker to cause a denial of service.

https://security-tracker.debian.org/tracker/DSA-6160-1

Multiple security vulnerabilities were discovered in imagemagick, a software suite used for editing and manipulating digital images, which could lead to information leaks, bypass of security policies, denial of service or arbitrary code execution.

https://security-tracker.debian.org/tracker/DSA-6159-1

Multiple security vulnerabilities were discovered in imagemagick, a software suite used for editing and manipulating digital images, which could lead to information leaks, bypass of security policies, denial of service or arbitrary code execution.

https://security-tracker.debian.org/tracker/DSA-6158-1