During the month of May 2026 and on behalf of Freexian, I worked on the following:
php ------ Uploaded php7.4=7.4.33-1+deb11u11, php7.3=7.3.31-1~deb10u13 and php7.0=7.0.33-0+deb9u23, and issued DLA-4586-1, ELA-1722-1 and ELA-1723-1. https://lists.debian.org/msgid-search/[email protected] https://www.freexian.com/lts/extended/updates/ela-1722-1-php7.3/ https://www.freexian.com/lts/extended/updates/ela-1723-1-php7.0/ * CVE-2026-6722: Use-after-free issue was discovered in the SOAP extension. * CVE-2026-6735: Cross-site scripting vulnerability in the PHP-FPM status page. * CVE-2026-7258: Out-of-bounds read issue was discovered in `urldecode()`. * CVE-2026-7261: Use-after-free issue after header parsing failure when SoapServer is configured with SOAP_PERSISTENCE_SESSION. * CVE-2026-7262: NULL pointer deference issue in SOAP apache:Map decoder with missing `<value>` element. * CVE-2026-7568: Signed integer overflow in the `metaphone()` function from the PHP standard library. gnutls28 -------- Uploaded 3.7.1-5+deb11u10 and issued DLA-4595-1. https://lists.debian.org/msgid-search/[email protected] * CVE-2026-3833: Policy bypass due to case-sensitive nameconstraints comparison. * CVE-2026-5260: Remote OOB read in PKCS#11 RSA decrypt path via short ClientKeyExchange. * CVE-2026-33845: Denial of service via DTLS zero-length fragment. * CVE-2026-33846: Denial of service via heap buffer overflow in DTLS handshake fragment reassembly. * CVE-2026-42009: Denial of service via DTLS packet reordering vulnerability. * CVE-2026-42010: Security bypass due to incorrect name constraint handling. * CVE-2026-42011: Security bypass due to incorrect name constraint handling. * CVE-2026-42012: CN fallback with unsupported SAN type. * CVE-2026-42013: Hostname verification bypass via oversized dNSName SAN forcing CN fallback (RFC 6125 Violation). * CVE-2026-42014: Use-after-free in `gnutls_pkcs11_token_set_pin()` when retrieving SO PIN. * CVE-2026-42015: PKCS#12 bag append after parsed full-capacity bag causes heap out-of-bounds write. * [Plus 6 security issues with minor impact for which no CVE ID was assigned yet.] Also uploaded to 3.6.7-4+deb10u16 (buster) and 3.5.8-5+deb9u11 (stretch), and issued ELA-1732-1. https://www.freexian.com/lts/extended/updates/ela-1732-1-gnutls28/ roundcube --------- Uploaded 1.4.15+dfsg.1-1+deb11u9 and issued DLA-4604-1. https://lists.debian.org/msgid-search/[email protected] * CVE-2026-48842: Pre-auth SQL injection in `virtuser_query` plugin via `preg_replace()` backslash escape bypass. * CVE-2026-48843: SSRF bypass via specific local address URLs. Adjust the custom patch to add support for non quad-dotted IPs and non-decimal fields in order to match the new upstream behavior. * CVE-2026-48844: Code injection vulnerability via code evaluation support in LDAP autovalues option. * CVE-2026-48845: Local/private URL fetch bypass when remote resources were not allowed. * CVE-2026-48846: Bypass of remote image blocking via CSS `var()`. * CVE-2026-48847: Pre-auth arbitrary file delete via redis/memcache session poisoning bypass. * CVE-2026-48848: CSS injection bypass in HTML sanitizer via SVG `<animate attributeName="style">`. * CVE-2026-48849: Stored XSS/HTML/CSS injection in subject field of the draft restore dialog. dovecot ------- Work in progress for older suites following DLA-4556-1. mapserver --------- Uploaded 8.0.0-3+deb12u1 with a fix for CVE-2026-33721. The package was released as part of 12.14. Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem.
signature.asc
Description: PGP signature
