During the month of June 2026 and on behalf of Freexian, I worked on the following:
dovecot ------- Uploaded 1:2.3.13+dfsg1-2+deb11u4 and issued DLA-4617-1. https://lists.debian.org/msgid-search/[email protected] * CVE-2026-33603: Specially crafted base64 exchange between Dovecot and Client faking SCRAM TLS channel binding could lead to eavesdropping. * CVE-2026-40020: ACL injection causing IMAP folders can be shared-spammed to everyone. * CVE-2026-42006: Uncontrolled memory usage with excessive bracing over IMAP. This stems from an incomplete fix for CVE-2026-27857. Also, uploaded 1:2.3.4.1-5+deb10u9 to buster ELTS and issued ELA-1751-1. https://www.freexian.com/lts/extended/updates/ela-1751-1-dovecot/ The ELTS update also includes fixes for the vulnerabilities fixed in DLA 4556-1 for LTS suites: * CVE-2025-59031: No longer install decode2text.sh into dovecot-core/ examples as the script unsafely handles zip-style attachments. * CVE-2025-59032: ManageSieve panic occurs with sieve-connect as a client. * CVE-2026-0394: Path traversal in passwd-file passdb using %d. * CVE-2026-27856: Doveadm credentials were not checked using timing-safe checking function. * CVE-2026-27857: Sending excessive parenthesis caused imap-login to use excessive memory. * CVE-2026-27858: managesieve-login can allocate large amount of memory during authentication. * CVE-2026-27859: Excessive RFC 2231 MIME parameters in email would cause excessive CPU usage. libxml2 ------- Uploaded 2.9.10+dfsg-6.7+deb11u10 and issued DLA-4622-1. https://lists.debian.org/msgid-search/[email protected] * CVE-2025-8732: Missing cycle detection in catalog parsing functions. * CVE-2026-0989: Unbounded recursion in RelaxNG parser. * CVE-2026-0990: Unbounded recursion in `xmlCatalogXMLResolveURI()`. * CVE-2026-0992: Resource exhaustion when processing a chain of linked XML catalogs. * CVE-2026-1757: Memory leak in the xmllint(1) interactive shell. * Backport fixes for a few more security-related issues (memory leaks, use after free and stack overflow issues) for which no CVE ID was assigned (yet). Also, uploaded 2.9.4+dfsg1-7+deb10u14 (buster) and 2.9.4+dfsg1-2.2+deb9u16 (stretch), and issued ELA-1753-1 for ELTS suites. https://www.freexian.com/lts/extended/updates/ela-1753-1-libxml2/ Aso, fixed (o)s-pu bugs #1139255 (trixie) and #1139256 (bookworm) in order to fix these issues in (old)stable. Also, uploaded libxml2.9 2.12.7+dfsg+really2.9.14-2.4 to fix these issues in the sid-only src:libxml2.9. https://tracker.debian.org/news/1761122/accepted-libxml29-2127dfsgreally2914-24-source-into-unstable/ mediawiki --------- Finalized testing, uploaded 1:1.35.13-1+deb11u7 and issued DLA-4640-1. https://lists.debian.org/msgid-search/[email protected] * CVE-2026-34087 (OATHAuth extension): Users API leaks whether privileged users have their user groups disabled for lack of 2FA. * CVE-2026-34088: RecentChanges entries expose suppressed content via generated log page HTML. * CVE-2026-34093: Special:UserRights page allows viewing user rights from private wiki. * CVE-2026-34095: action=raw with Special:Mypage subpage title responds with "Content-Type: text/html" on ctype=text/javascript request, which may lead to cross-site scripting. libtext-csv-xs-perl ------------------- Uploaded 1.45-1+deb11u1 1.49-1+deb12u1 and issued DLA-4648-1. https://lists.debian.org/msgid-search/[email protected] * CVE-2026-7111: Use-after-free issue when registered callbacks extend the Perl argument stack. Also, uploaded 1.38-1+deb10u1 (buster) and 1.26-1+deb9u1 (stretch), and issued ELA-1756-1 for ELTS suites. https://www.freexian.com/lts/extended/updates/ela-1756-1-libtext-csv-xs-perl/ libdbi-perl ----------- Uploaded 1.643-3+deb11u1 and issued DLA-4649-1. https://lists.debian.org/msgid-search/[email protected] * CVE-2026-9698: Buffer overflow in error message reporting. * CVE-2026-10879: Out-of-bounds write when a prepared SQL statement had 10 or more binders. Also, uploaded 1.642-1+deb10u3 (buster) and 1.636-1+deb9u3 (stretch), and issued ELA-1758-1 for ELTS suites. https://www.freexian.com/lts/extended/updates/ela-1758-1-libdbi-perl/ python-urllib3 -------------- Uploaded 1.26.5-1~exp1+deb11u4 1.26.12-1+deb12u4 and issued DLA-4651-1. https://lists.debian.org/msgid-search/[email protected] * CVE-2026-44431: Sensitive headers were not stripped during cross-origin redirects followed from the low-level API. Also, uploaded 1.24.1-1+deb10u6 (buster) and 1.19.1-1+deb9u5 (stretch), and issued ELA-1761-1 for ELTS suites. https://www.freexian.com/lts/extended/updates/ela-1761-1-python-urllib3/ libhtml-parser-perl ------------------- Uploaded 3.75-1+deb11u1 and issued DLA-4655-1. https://lists.debian.org/msgid-search/[email protected] * CVE-2026-8829: Heap use-after-free issue in `_decode_entities()`. Also, uploaded 3.72-3+deb10u1 (buster) and 3.72-3+deb9u1 (stretch), and issued ELA-1763-1 for ELTS suites. https://www.freexian.com/lts/extended/updates/ela-1763-1-libhtml-parser-perl/ libraw ------ Work in progress for * CVE-2026-20889: Heap-based buffer overflow issue in x3f_thumb_loader(). * CVE-2026-21413: Heap-based buffer overflow issue in lossless_jpeg_load_raw(). * CVE-2026-20884: Integer overflow issue in deflate_dng_load_raw(). * CVE-2026-24660: Heap-based buffer overflow issue in x3f_load_huffman(). in LTS suites, but didn't upload yet. Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem.
signature.asc
Description: PGP signature
