Debian security patch wave

Debian spent the past three weeks pushing security fixes for internet tools, a browser engine, image parsing, and a Perl data library. (debian.org) The internet-tools update landed on April 3, 2026, as Debian Security Advisory 6193-1 for `inetutils`, which includes `telnet` and `telnetd`. Debian said the flaws could lead to privilege escalation or information disclosure, and fixed them in bookworm with `2:2.4-2+deb12u3` and in trixie with `2:2.6-3+deb13u3`. (lists.debian.org) Debian’s tracker shows the `inetutils` issues as CVE-2026-32746 and CVE-2026-32772. One entry says the `telnet` client through version 2.7 lets servers read arbitrary environment variables from a client machine. (security-tracker.debian.org, security-tracker.debian.org) A separate Debian advisory on March 22, 2026, covered `libyaml-syck-perl`, a module that reads and writes YAML, a common text format for configuration files. Debian said CVE-2026-4177 could cause denial of service and potentially arbitrary code execution, with fixes in `1.34-2+deb12u2` for bookworm and `1.34-2+deb13u2` for trixie. (debian.org) On March 20, 2026, Debian also shipped a `webkit2gtk` update, the browser engine used by many Linux desktop apps to display web content. Debian said the bugs included a remote denial-of-service issue and a web-extension tracking issue, and fixed bookworm in version `2.50.6-1~deb12u1`; Debian 11 bullseye later got the same fixes through a Long Term Support advisory dated April 8, 2026. (lists.debian.org, lists.debian.org) The newest Debian advisory in this batch arrived on April 11, 2026, for `gdk-pixbuf`, the image-loading library behind thumbnails and previews across the GNU/Linux desktop. Debian said CVE-2026-5201 came from improper validation in the JPEG loader and could allow arbitrary code execution or denial of service when a crafted image is processed. (lists.debian.org) The roundup that pulled these notices together also pointed to a ClamAV package update. LinuxCompatible described it as part of the same weekly Debian patch wave, alongside the `inetutils`, `webkit2gtk`, `gdk-pixbuf`, and `libyaml-syck-perl` fixes. (linuxcompatible.org) The same bulletin flagged a separate Red Hat issue in Cockpit, the web interface used to administer Linux servers from a browser. Red Hat published advisory RHSA-2026:7383 on April 10, 2026, rated it Critical, and titled it an unauthenticated remote code execution flaw caused by Secure Shell command-line argument injection in Cockpit. (access.redhat.com) Red Hat’s advisory says Cockpit is used for network configuration, log inspection, diagnostic reports, Security-Enhanced Linux troubleshooting, and interactive shell sessions. That makes the April Debian fixes and the April Cockpit alert part of the same pattern: core admin and desktop components are getting patched on a rolling basis across major Linux distributions. (access.redhat.com, debian.org) For Debian users, the immediate step is the ordinary one Debian repeats in each notice: upgrade the affected packages. The advisories cover both bookworm, Debian 12 oldstable, and trixie, Debian 13 stable, so the patch wave reaches systems on both sides of Debian’s current release line. (lists.debian.org, debian.org, lists.debian.org)