During the month of May 2026 and on behalf of Freexian, I worked on the
following:

php
------

Uploaded php7.4=7.4.33-1+deb11u11, php7.3=7.3.31-1~deb10u13 and
php7.0=7.0.33-0+deb9u23, and issued DLA-4586-1, ELA-1722-1 and
ELA-1723-1.
https://lists.debian.org/msgid-search/[email protected]
https://www.freexian.com/lts/extended/updates/ela-1722-1-php7.3/
https://www.freexian.com/lts/extended/updates/ela-1723-1-php7.0/

  * CVE-2026-6722: Use-after-free issue was discovered in the SOAP
    extension.
  * CVE-2026-6735: Cross-site scripting vulnerability in the PHP-FPM
    status page.
  * CVE-2026-7258: Out-of-bounds read issue was discovered in
    `urldecode()`.
  * CVE-2026-7261: Use-after-free issue after header parsing failure
    when SoapServer is configured with SOAP_PERSISTENCE_SESSION.
  * CVE-2026-7262: NULL pointer deference issue in SOAP apache:Map
    decoder with missing `<value>` element.
  * CVE-2026-7568: Signed integer overflow in the `metaphone()` function
    from the PHP standard library.

gnutls28
--------

Uploaded 3.7.1-5+deb11u10 and issued DLA-4595-1.
https://lists.debian.org/msgid-search/[email protected]

  * CVE-2026-3833: Policy bypass due to case-sensitive nameconstraints
    comparison.
  * CVE-2026-5260: Remote OOB read in PKCS#11 RSA decrypt path via short
    ClientKeyExchange.
  * CVE-2026-33845: Denial of service via DTLS zero-length fragment.
  * CVE-2026-33846: Denial of service via heap buffer overflow in DTLS
    handshake fragment reassembly.
  * CVE-2026-42009: Denial of service via DTLS packet reordering
    vulnerability.
  * CVE-2026-42010: Security bypass due to incorrect name constraint
    handling.
  * CVE-2026-42011: Security bypass due to incorrect name constraint
    handling.
  * CVE-2026-42012: CN fallback with unsupported SAN type.
  * CVE-2026-42013: Hostname verification bypass via oversized dNSName
    SAN forcing CN fallback (RFC 6125 Violation).
  * CVE-2026-42014: Use-after-free in `gnutls_pkcs11_token_set_pin()`
    when retrieving SO PIN.
  * CVE-2026-42015: PKCS#12 bag append after parsed full-capacity bag
    causes heap out-of-bounds write.
  * [Plus 6 security issues with minor impact for which no CVE ID was
    assigned yet.]

Also uploaded to 3.6.7-4+deb10u16 (buster) and 3.5.8-5+deb9u11
(stretch), and issued ELA-1732-1.
https://www.freexian.com/lts/extended/updates/ela-1732-1-gnutls28/

roundcube
---------

Uploaded 1.4.15+dfsg.1-1+deb11u9 and issued DLA-4604-1.
https://lists.debian.org/msgid-search/[email protected]

  * CVE-2026-48842: Pre-auth SQL injection in `virtuser_query` plugin
    via `preg_replace()` backslash escape bypass.
  * CVE-2026-48843: SSRF bypass via specific local address URLs.  Adjust
    the custom patch to add support for non quad-dotted IPs and
    non-decimal fields in order to match the new upstream behavior.
  * CVE-2026-48844: Code injection vulnerability via code evaluation
    support in LDAP autovalues option.
  * CVE-2026-48845: Local/private URL fetch bypass when remote resources
    were not allowed.
  * CVE-2026-48846: Bypass of remote image blocking via CSS `var()`.
  * CVE-2026-48847: Pre-auth arbitrary file delete via redis/memcache
    session poisoning bypass.
  * CVE-2026-48848: CSS injection bypass in HTML sanitizer via SVG
    `<animate attributeName="style">`.
  * CVE-2026-48849: Stored XSS/HTML/CSS injection in subject field of
    the draft restore dialog.

dovecot
-------

Work in progress for older suites following DLA-4556-1.

mapserver
---------

Uploaded 8.0.0-3+deb12u1 with a fix for CVE-2026-33721.  The package was
released as part of 12.14.


Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
-- 
Guilhem.

Attachment: signature.asc
Description: PGP signature

Reply via email to