During the month of January 2026 and on behalf of Freexian, I worked on the following:
cjose ----- Uploaded 0.4.1-3+deb9u1 and issued ELA-1616-1. https://www.freexian.com/lts/extended/updates/ela-1616-1-cjose/ * CVE-2023-37464: incorrect Authentication Tag length usage in AES GCM decryption. python-urllib3 -------------- Uploaded 1.26.5-1~exp1+deb11u3 and 1.24.1-1+deb10u5, and issued DLA-4446-1 and ELA-1618-1. https://lists.debian.org/msgid-search/[email protected] https://www.freexian.com/lts/extended/updates/ela-1618-1-python-urllib3/ * CVE-2026-21441: CVE-2026-21441: Decompression-bomb safeguards bypass when following HTTP redirects. php --- Uploaded php7.4=7.4.33-1+deb11u10 and php7.3=7.3.31-1~deb10u12, and issued DLA-4447-1 and ELA-1622-1. https://lists.debian.org/msgid-search/[email protected] https://www.freexian.com/lts/extended/updates/ela-1622-1-php7.3/ * CVE-2025-14178: Heap buffer overflow in array_merge(). * GHSA-www2-q4fc-65wf: Missing null contain check in dns_get_record() and other DNS functions. Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem.
signature.asc
Description: PGP signature
