Debian LTS/ELTS report - April 2026

To: debian-lts@lists.debian.org
Subject: Debian LTS/ELTS report - April 2026
From: Arnaud Rebillout <arnaudr@debian.org>
Date: Mon, 04 May 2026 11:11:55 +0700
Message-id: <[🔎] 96c5f53fee8356bc5f5cf874e830436e@debian.org>

During the month of April 2026 and on behalf of Freexian, I worked on the
following:

containerd
----------

Uploaded containerd/1.6.20~ds1-1+deb12u3 for Debian bookworm (oldstable).
I proposed this new version back in February, cf. #1127704.

systemd
-------

Uploaded systemd/247.3-7+deb11u8 and issued DLA-4533-1:

  * CVE-2026-4105: machined: local privilege escalation
  * CVE-2026-29111: Local unprivileged user can trigger a stack overwrite,
    with the attacker controlled content, in systemd
  * CVE-2026-40225: udev: local root execution via malicious hardware
    devices and unsanitized kernel output
  * CVE-2026-40226: nspawn: escape-to-host via malformed optional config
    file

python3.9
---------

Uploaded python3.9/3.9.2-1+deb11u6 and issued DLA-4532-1:

  * CVE-2025-15366 and CVE-2025-15367: Revert, as it breaks backward
    compatibility, upstream didn't backport it at all.
  * CVE-2026-6100: Use-after-free in LZMA and BZ2 decompressors, when a
    memory allocation fails with a `MemoryError` and the decompression
    instance is re-used. This scenario can be triggered if the process is
    under memory pressure.

python3.11
----------

Uploaded python3.11/3.11.2-6+deb12u7 for Debian bookworm (oldstable), in
order to catch up with Debian bullseye (LTS), cf. #1126814.

Thanks
------

Thanks to our sponsors for making this possible, and to Freexian for
handling the offering: <https://www.freexian.com/lts/debian/#sponsors>.

--
Arnaud

Reply to:

Prev by Date: Re: Bug#1135634: RM: zulucrypt/5.7.1-2
Next by Date: Debian LTS and ELTS report for April 2026 (charles)
Previous by thread: Re: Bug#1135634: RM: zulucrypt/5.7.1-2
Next by thread: Debian LTS and ELTS report for April 2026 (charles)
Index(es):
- Date
- Thread