During the month of June 2026 and on behalf of Freexian, I worked on the
following:

dovecot
-------

Uploaded 1:2.3.13+dfsg1-2+deb11u4 and issued DLA-4617-1.
https://lists.debian.org/msgid-search/[email protected]

  * CVE-2026-33603: Specially crafted base64 exchange between Dovecot
    and Client faking SCRAM TLS channel binding could lead to
    eavesdropping.
  * CVE-2026-40020: ACL injection causing IMAP folders can be
    shared-spammed to everyone.
  * CVE-2026-42006: Uncontrolled memory usage with excessive bracing
    over IMAP.  This stems from an incomplete fix for CVE-2026-27857.

Also, uploaded 1:2.3.4.1-5+deb10u9 to buster ELTS and issued ELA-1751-1.
https://www.freexian.com/lts/extended/updates/ela-1751-1-dovecot/
The ELTS update also includes fixes for the vulnerabilities fixed in DLA
4556-1 for LTS suites:

  * CVE-2025-59031: No longer install decode2text.sh into dovecot-core/
    examples as the script unsafely handles zip-style attachments.
  * CVE-2025-59032: ManageSieve panic occurs with sieve-connect as a
    client.
  * CVE-2026-0394: Path traversal in passwd-file passdb using %d.
  * CVE-2026-27856: Doveadm credentials were not checked using
    timing-safe checking function.
  * CVE-2026-27857: Sending excessive parenthesis caused imap-login to
    use excessive memory.
  * CVE-2026-27858: managesieve-login can allocate large amount of
    memory during authentication.
  * CVE-2026-27859: Excessive RFC 2231 MIME parameters in email would
    cause excessive CPU usage.

libxml2
-------

Uploaded 2.9.10+dfsg-6.7+deb11u10 and issued DLA-4622-1.
https://lists.debian.org/msgid-search/[email protected]

  * CVE-2025-8732: Missing cycle detection in catalog parsing functions.
  * CVE-2026-0989: Unbounded recursion in RelaxNG parser.
  * CVE-2026-0990: Unbounded recursion in `xmlCatalogXMLResolveURI()`.
  * CVE-2026-0992: Resource exhaustion when processing a chain of linked
    XML catalogs.
  * CVE-2026-1757: Memory leak in the xmllint(1) interactive shell.
  * Backport fixes for a few more security-related issues (memory leaks,
    use after free and stack overflow issues) for which no CVE ID was
    assigned (yet).

Also, uploaded 2.9.4+dfsg1-7+deb10u14 (buster) and 2.9.4+dfsg1-2.2+deb9u16
(stretch), and issued ELA-1753-1 for ELTS suites.
https://www.freexian.com/lts/extended/updates/ela-1753-1-libxml2/

Aso, fixed (o)s-pu bugs #1139255 (trixie) and #1139256 (bookworm) in
order to fix these issues in (old)stable.

Also, uploaded libxml2.9 2.12.7+dfsg+really2.9.14-2.4 to fix these issues
in the sid-only src:libxml2.9.
https://tracker.debian.org/news/1761122/accepted-libxml29-2127dfsgreally2914-24-source-into-unstable/

mediawiki
---------

Finalized testing, uploaded 1:1.35.13-1+deb11u7 and issued DLA-4640-1.
https://lists.debian.org/msgid-search/[email protected]

  * CVE-2026-34087 (OATHAuth extension): Users API leaks whether
    privileged users have their user groups disabled for lack of 2FA.
  * CVE-2026-34088: RecentChanges entries expose suppressed content via
    generated log page HTML.
  * CVE-2026-34093: Special:UserRights page allows viewing user rights
    from private wiki.
  * CVE-2026-34095: action=raw with Special:Mypage subpage title
    responds with "Content-Type: text/html" on ctype=text/javascript
    request, which may lead to cross-site scripting.

libtext-csv-xs-perl
-------------------

Uploaded 1.45-1+deb11u1 1.49-1+deb12u1 and issued DLA-4648-1.
https://lists.debian.org/msgid-search/[email protected]

  * CVE-2026-7111: Use-after-free issue when registered callbacks extend
    the Perl argument stack.

Also, uploaded 1.38-1+deb10u1 (buster) and 1.26-1+deb9u1 (stretch), and
issued ELA-1756-1 for ELTS suites.
https://www.freexian.com/lts/extended/updates/ela-1756-1-libtext-csv-xs-perl/

libdbi-perl
-----------

Uploaded 1.643-3+deb11u1 and issued DLA-4649-1.
https://lists.debian.org/msgid-search/[email protected]

  * CVE-2026-9698: Buffer overflow in error message reporting.
  * CVE-2026-10879: Out-of-bounds write when a prepared SQL statement
    had 10 or more binders.

Also, uploaded 1.642-1+deb10u3 (buster) and 1.636-1+deb9u3 (stretch),
and issued ELA-1758-1 for ELTS suites.
https://www.freexian.com/lts/extended/updates/ela-1758-1-libdbi-perl/

python-urllib3
--------------

Uploaded 1.26.5-1~exp1+deb11u4 1.26.12-1+deb12u4 and issued DLA-4651-1.
https://lists.debian.org/msgid-search/[email protected]

  * CVE-2026-44431: Sensitive headers were not stripped during
    cross-origin redirects followed from the low-level API.

Also, uploaded 1.24.1-1+deb10u6 (buster) and 1.19.1-1+deb9u5 (stretch),
and issued ELA-1761-1 for ELTS suites.
https://www.freexian.com/lts/extended/updates/ela-1761-1-python-urllib3/

libhtml-parser-perl
-------------------

Uploaded 3.75-1+deb11u1 and issued DLA-4655-1.
https://lists.debian.org/msgid-search/[email protected]

  * CVE-2026-8829: Heap use-after-free issue in `_decode_entities()`.

Also, uploaded 3.72-3+deb10u1 (buster) and 3.72-3+deb9u1 (stretch), and
issued ELA-1763-1 for ELTS suites.
https://www.freexian.com/lts/extended/updates/ela-1763-1-libhtml-parser-perl/

libraw
------

Work in progress for

 * CVE-2026-20889: Heap-based buffer overflow issue in x3f_thumb_loader().
 * CVE-2026-21413: Heap-based buffer overflow issue in lossless_jpeg_load_raw().
 * CVE-2026-20884: Integer overflow issue in deflate_dng_load_raw().
 * CVE-2026-24660: Heap-based buffer overflow issue in x3f_load_huffman().

in LTS suites, but didn't upload yet.


Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
-- 
Guilhem.

Attachment: signature.asc
Description: PGP signature

Reply via email to