------------------------------------------------------------------------
The Debian Project https://www.debian.org/
Updated Debian 12: 12.10 released press@debian.org
March 15th, 2025 https://www.debian.org/News/2025/20250315
------------------------------------------------------------------------
The Debian project is pleased to announce the tenth update of its stable
distribution Debian 12 (codename "bookworm"). This point release mainly
adds corrections for security issues, along with a few adjustments for
serious problems. Security advisories have already been published
separately and are referenced where available.
Please note that the point release does not constitute a new version of
Debian 12 but only updates some of the packages included. There is no
need to throw away old "bookworm" media. After installation, packages
can be upgraded to the current versions using an up-to-date Debian
mirror.
Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:
https://www.debian.org/mirror/list
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
+-------------------------+-------------------------------------------+
| Package | Reason |
+-------------------------+-------------------------------------------+
| 389-ds-base [1] | Fix crash when modifying userPassword |
| | using malformed input [CVE-2024-2199 |
| | CVE-2024-8445]; prevent denial of service |
| | while attempting to log in with a user |
| | with a malformed hash in their password |
| | [CVE-2024-5953]; prevent denial of |
| | service on the directory server with |
| | specially-crafted LDAP query [CVE-2024- |
| | 3657] |
| | |
| base-files [2] | Update for the point release |
| | |
| bup [3] | New upstream bugfix release |
| | |
| containerd [4] | Fix tests causing FTBFS on the auto- |
| | builder network |
| | |
| curl [5] | Fix unintended HTTPS upgrades or |
| | premature reversion to HTTP when both |
| | subdomains and parent domains are used |
| | [CVE-2024-9681]; prevent stopping of |
| | stunnel before retries in the built-time |
| | tests; fix possible credentials leakage |
| | issues [CVE-2024-11053 CVE-2025-0167]; |
| | fix test failures due to port clashes |
| | |
| dacite [6] | Do not cache result of |
| | get_default_value_for_field |
| | |
| dcmtk [7] | Fix issue when rendering an invalid |
| | monochrome DICOM image [CVE-2024-47796]; |
| | ensure: HighBit < BitsAllocated |
| | [CVE-2024-52333]; fix possible overflows |
| | when allocating memory [CVE-2024-27628]; |
| | fix two segmentation faults [CVE-2024- |
| | 34508 CVE-2024-34509]; fix arbitrary code |
| | execution issue [CVE-2024-28130]; fix |
| | buffer overflow issues [CVE-2025-25472 |
| | CVE-2025-25474]; fix NULL pointer |
| | dereference issue [CVE-2025-25475] |
| | |
| debian-installer [8] | Increase Linux kernel ABI to 6.1.0-32; |
| | rebuild against proposed-updates |
| | |
| debian-ports-archive- | Add 2026 key; move 2023 and 2024 keys to |
| keyring [9] | the removed keyring |
| | |
| dgit [10] | Add missing parameters for source upload |
| | target |
| | |
| djoser [11] | Fix authentication bypass [CVE-2024- |
| | 21543] |
| | |
| dns-root-data [12] | Add the DNSKEY record for KSK-2024 |
| | |
| edk2 [13] | Fix overflow condition in |
| | PeCoffLoaderRelocateImage() [CVE-2024- |
| | 38796]; fix potential UINT32 overflow in |
| | S3 ResumeCount [CVE-2024-1298] |
| | |
| elpa [14] | Fix tests on machines with 2 vCPU or |
| | fewer |
| | |
| flightgear [15] | Fix sandbox bypass vulnerability in Nasal |
| | scripts [CVE-2025-0781] |
| | |
| gensim [16] | Fix build failure on single-CPU machines |
| | |
| glibc [17] | Fix buffer overflow when printing |
| | assertion failure message [CVE-2025- |
| | 0395]; fix memset performance for |
| | unaligned destinations; fix TLS |
| | performance degradation after dlopen() |
| | usage; avoid integer truncation when |
| | parsing CPUID data with large cache |
| | sizes; ensure data passed to the rseq |
| | syscall are properly initialized |
| | |
| golang-github- | Disable a test known to fail on the auto- |
| containers-buildah [18] | builder network, fixing build failure |
| | |
| intel-microcode [19] | New upstream security release [CVE-2023- |
| | 34440 CVE-2023-43758 CVE-2024-24582 |
| | CVE-2024-28047 CVE-2024-28127 CVE-2024- |
| | 29214 CVE-2024-31068 CVE-2024-31157 |
| | CVE-2024-36293 CVE-2024-37020 CVE-2024- |
| | 39279 CVE-2024-39355] |
| | |
| iptables-netflow [20] | Fix build with newer bullseye kernels |
| | |
| jinja2 [21] | Fix arbitrary code execution issues |
| | [CVE-2024-56201 CVE-2024-56326] |
| | |
| joblib [22] | Fix build failure on single-CPU systems |
| | |
| lemonldap-ng [23] | Fix CSRF vulnerability on 2FA |
| | registration interface [CVE-2024-52948] |
| | |
| libapache-mod-jk [24] | Set correct default permissions for |
| | shared memory [CVE-2024-46544] |
| | |
| libeconf [25] | Fix buffer overflow vulnerability |
| | [CVE-2023-32181 CVE-2023-22652] |
| | |
| librabbitmq [26] | Add option to read username/password from |
| | file [CVE-2023-35789] |
| | |
| libtar [27] | Fix out-of-bounds read in gnu_longlink() |
| | [CVE-2021-33643]; fix out-of-bounds read |
| | in gnu_longname() [CVE-2021-33644]; fix |
| | memory leak in th_read() [CVE-2021- |
| | 33645]; fix memory leak in th_read() |
| | [CVE-2021-33646] |
| | |
| linux [28] | New upstream release; bump ABI to 32 |
| | |
| linux-signed-amd64 [29] | New upstream release; bump ABI to 32 |
| | |
| linux-signed-arm64 [30] | New upstream release; bump ABI to 32 |
| | |
| linux-signed-i386 [31] | New upstream release; bump ABI to 32 |
| | |
| linuxcnc [32] | Fix multi axes movement on single axis G0 |
| | MDI call |
| | |
| ltt-control [33] | Fix consumer crash on shutdown |
| | |
| lttng-modules [34] | Fix build with newer bullseye kernels |
| | |
| mariadb [35] | New upstream stable release; fix security |
| | issue [CVE-2024-21096]; fix denial of |
| | service issue [CVE-2025-21490] |
| | |
| monero [36] | Impose response limits on HTTP server |
| | connections [CVE-2025-26819] |
| | |
| mozc [37] | Install fcitx icons to the correct |
| | locations |
| | |
| ndcube [38] | Ignore test warnings from astropy |
| | |
| nginx [39] | Fix possible bypass of client certificate |
| | authentication [CVE-2025-23419] |
| | |
| node-axios [40] | Fix CSRF vulnerability [CVE-2023-45857]; |
| | fix potential vulnerability in URL when |
| | determining an origin [CVE-2024-57965] |
| | |
| node-js-sdsl [41] | Fix build failure |
| | |
| node-postcss [42] | Fix mishandling of non-integer values |
| | leading to denial of service in nanoid |
| | [CVE-2024-55565]; fix parsing of external |
| | untrusted CSS [CVE-2023-44270] |
| | |
| node-recast [43] | Fix build failure |
| | |
| node-redis [44] | Fix build failure |
| | |
| node-rollup [45] | Fix build failure arising from changed |
| | timeout API |
| | |
| openh264 [46] | Fix Cisco download URL |
| | |
| php-nesbot-carbon [47] | Fix arbitrary file include issue |
| | [CVE-2025-22145] |
| | |
| postgresql-15 [48] | New upstream stable release; harden |
| | PQescapeString and allied functions |
| | against invalidly-encoded strings; |
| | improve behavior of libpq's quoting |
| | functions [CVE-2025-1094] |
| | |
| puma [49] | Fix behavior when parsing chunked |
| | transfer encoding bodies and zero-length |
| | Content-Length headers [CVE-2023-40175]; |
| | limit size of chunk extensions [CVE-2024- |
| | 21647]; prevent manipulation of headers |
| | set by intermediate proxies [CVE-2024- |
| | 45614] |
| | |
| python-django [50] | Fix regular expression-based denial of |
| | service issue [CVE-2023-36053], denial of |
| | service issues [CVE-2024-38875 CVE-2024- |
| | 39614 CVE-2024-41990 CVE-2024-41991], |
| | user enumeration issue [CVE-2024-39329], |
| | directory traversal issue [CVE-2024- |
| | 39330], excessive memory consumption |
| | issue [CVE-2024-41989], SQL injection |
| | issue [CVE-2024-42005] |
| | |
| python-pycdlib [51] | Run tests only if /tmp is tmpfs, |
| | otherwise they are known to fail |
| | |
| rapiddisk [52] | Support Linux versions up to 6.10 |
| | |
| rsyslog [53] | Avoid segmentation fault if a SIGTERM is |
| | received during startup |
| | |
| runit-services [54] | Do not enable dhclient service by default |
| | |
| seqan3 [55] | Fix parallel running of tests |
| | |
| simgear [56] | Fix sandbox bypass vulnerability in Nasal |
| | scripts [CVE-2025-0781] |
| | |
| spamassassin [57] | New upstream stable release |
| | |
| sssd [58] | Apply GPO policy consistently [CVE-2023- |
| | 3758] |
| | |
| subversion [59] | Fix vulnerable parsing of control |
| | characters in paths served by mod_dav_svn |
| | [CVE-2024-46901] |
| | |
| sunpy [60] | Ignore test warnings from astropy |
| | |
| systemd [61] | New upstream stable release |
| | |
| tzdata [62] | New upstream release; update data for |
| | Paraguay; update leap second information |
| | |
| vagrant [63] | Fix URL of public Vagrant registry |
| | |
| vim [64] | Fix crash when expanding "~" in |
| | substitute [CVE-2023-2610]; fix buffer- |
| | overflow in vim_regsub_both() [CVE-2023- |
| | 4738]; fix heap use after free in |
| | ins_compl_get_exp() [CVE-2023-4752]; fix |
| | heap-buffer-overflow in vim_regsub_both |
| | [CVE-2023-4781]; fix buffer-overflow in |
| | trunc_string() [CVE-2023-5344]; fix |
| | stack-buffer-overflow in option callback |
| | functions [CVE-2024-22667]; fix heap- |
| | buffer-overflow in ins_typebuf (CVE-2024- |
| | 43802]; fix use-after-free when closing a |
| | buffer [CVE-2024-47814]; fix build |
| | failure on 32-bit architectures |
| | |
| wget [65] | Fix mishandling of semicolons in userinfo |
| | in URLs [CVE-2024-38428] |
| | |
| xen [66] | Allow direct kernel boot with kernels >= |
| | 6.12 |
| | |
+-------------------------+-------------------------------------------+
1: https://packages.debian.org/src:389-ds-base
2: https://packages.debian.org/src:base-files
3: https://packages.debian.org/src:bup
4: https://packages.debian.org/src:containerd
5: https://packages.debian.org/src:curl
6: https://packages.debian.org/src:dacite
7: https://packages.debian.org/src:dcmtk
8: https://packages.debian.org/src:debian-installer
9: https://packages.debian.org/src:debian-ports-archive-keyring
10: https://packages.debian.org/src:dgit
11: https://packages.debian.org/src:djoser
12: https://packages.debian.org/src:dns-root-data
13: https://packages.debian.org/src:edk2
14: https://packages.debian.org/src:elpa
15: https://packages.debian.org/src:flightgear
16: https://packages.debian.org/src:gensim
17: https://packages.debian.org/src:glibc
18: https://packages.debian.org/src:golang-github-containers-buildah
19: https://packages.debian.org/src:intel-microcode
20: https://packages.debian.org/src:iptables-netflow
21: https://packages.debian.org/src:jinja2
22: https://packages.debian.org/src:joblib
23: https://packages.debian.org/src:lemonldap-ng
24: https://packages.debian.org/src:libapache-mod-jk
25: https://packages.debian.org/src:libeconf
26: https://packages.debian.org/src:librabbitmq
27: https://packages.debian.org/src:libtar
28: https://packages.debian.org/src:linux
29: https://packages.debian.org/src:linux-signed-amd64
30: https://packages.debian.org/src:linux-signed-arm64
31: https://packages.debian.org/src:linux-signed-i386
32: https://packages.debian.org/src:linuxcnc
33: https://packages.debian.org/src:ltt-control
34: https://packages.debian.org/src:lttng-modules
35: https://packages.debian.org/src:mariadb
36: https://packages.debian.org/src:monero
37: https://packages.debian.org/src:mozc
38: https://packages.debian.org/src:ndcube
39: https://packages.debian.org/src:nginx
40: https://packages.debian.org/src:node-axios
41: https://packages.debian.org/src:node-js-sdsl
42: https://packages.debian.org/src:node-postcss
43: https://packages.debian.org/src:node-recast
44: https://packages.debian.org/src:node-redis
45: https://packages.debian.org/src:node-rollup
46: https://packages.debian.org/src:openh264
47: https://packages.debian.org/src:php-nesbot-carbon
48: https://packages.debian.org/src:postgresql-15
49: https://packages.debian.org/src:puma
50: https://packages.debian.org/src:python-django
51: https://packages.debian.org/src:python-pycdlib
52: https://packages.debian.org/src:rapiddisk
53: https://packages.debian.org/src:rsyslog
54: https://packages.debian.org/src:runit-services
55: https://packages.debian.org/src:seqan3
56: https://packages.debian.org/src:simgear
57: https://packages.debian.org/src:spamassassin
58: https://packages.debian.org/src:sssd
59: https://packages.debian.org/src:subversion
60: https://packages.debian.org/src:sunpy
61: https://packages.debian.org/src:systemd
62: https://packages.debian.org/src:tzdata
63: https://packages.debian.org/src:vagrant
64: https://packages.debian.org/src:vim
65: https://packages.debian.org/src:wget
66: https://packages.debian.org/src:xen
Security Updates
----------------
This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:
+----------------+--------------------------+
| Advisory ID | Package |
+----------------+--------------------------+
| DSA-5834 [67] | chromium [68] |
| | |
| DSA-5836 [69] | xen [70] |
| | |
| DSA-5839 [71] | firefox-esr [72] |
| | |
| DSA-5840 [73] | chromium [74] |
| | |
| DSA-5841 [75] | thunderbird [76] |
| | |
| DSA-5842 [77] | openafs [78] |
| | |
| DSA-5843 [79] | rsync [80] |
| | |
| DSA-5844 [81] | chromium [82] |
| | |
| DSA-5845 [83] | tomcat10 [84] |
| | |
| DSA-5846 [85] | libreoffice [86] |
| | |
| DSA-5847 [87] | snapcast [88] |
| | |
| DSA-5848 [89] | chromium [90] |
| | |
| DSA-5849 [91] | git-lfs [92] |
| | |
| DSA-5850 [93] | git [94] |
| | |
| DSA-5851 [95] | openjpeg2 [96] |
| | |
| DSA-5852 [97] | pdns-recursor [98] |
| | |
| DSA-5853 [99] | pam-u2f [100] |
| | |
| DSA-5854 [101] | bind9 [102] |
| | |
| DSA-5855 [103] | chromium [104] |
| | |
| DSA-5856 [105] | redis [106] |
| | |
| DSA-5857 [107] | openjdk-17 [108] |
| | |
| DSA-5858 [109] | firefox-esr [110] |
| | |
| DSA-5859 [111] | chromium [112] |
| | |
| DSA-5860 [113] | linux-signed-amd64 [114] |
| | |
| DSA-5860 [115] | linux-signed-arm64 [116] |
| | |
| DSA-5860 [117] | linux-signed-i386 [118] |
| | |
| DSA-5860 [119] | linux [120] |
| | |
| DSA-5861 [121] | thunderbird [122] |
| | |
| DSA-5862 [123] | cacti [124] |
| | |
| DSA-5863 [125] | libtasn1-6 [126] |
| | |
| DSA-5864 [127] | pam-pkcs11 [128] |
| | |
| DSA-5865 [129] | webkit2gtk [130] |
| | |
| DSA-5866 [131] | chromium [132] |
| | |
| DSA-5867 [133] | gnutls28 [134] |
| | |
| DSA-5868 [135] | openssh [136] |
| | |
| DSA-5869 [137] | chromium [138] |
| | |
| DSA-5870 [139] | openh264 [140] |
| | |
| DSA-5871 [141] | emacs [142] |
| | |
| DSA-5872 [143] | xorg-server [144] |
| | |
| DSA-5873 [145] | libreoffice [146] |
| | |
| DSA-5874 [147] | firefox-esr [148] |
| | |
| DSA-5875 [149] | chromium [150] |
| | |
| DSA-5876 [151] | thunderbird [152] |
| | |
+----------------+--------------------------+
67: https://www.debian.org/security/2024/dsa-5834
68: https://packages.debian.org/src:chromium
69: https://www.debian.org/security/2024/dsa-5836
70: https://packages.debian.org/src:xen
71: https://www.debian.org/security/2025/dsa-5839
72: https://packages.debian.org/src:firefox-esr
73: https://www.debian.org/security/2025/dsa-5840
74: https://packages.debian.org/src:chromium
75: https://www.debian.org/security/2025/dsa-5841
76: https://packages.debian.org/src:thunderbird
77: https://www.debian.org/security/2025/dsa-5842
78: https://packages.debian.org/src:openafs
79: https://www.debian.org/security/2025/dsa-5843
80: https://packages.debian.org/src:rsync
81: https://www.debian.org/security/2025/dsa-5844
82: https://packages.debian.org/src:chromium
83: https://www.debian.org/security/2025/dsa-5845
84: https://packages.debian.org/src:tomcat10
85: https://www.debian.org/security/2025/dsa-5846
86: https://packages.debian.org/src:libreoffice
87: https://www.debian.org/security/2025/dsa-5847
88: https://packages.debian.org/src:snapcast
89: https://www.debian.org/security/2025/dsa-5848
90: https://packages.debian.org/src:chromium
91: https://www.debian.org/security/2025/dsa-5849
92: https://packages.debian.org/src:git-lfs
93: https://www.debian.org/security/2025/dsa-5850
94: https://packages.debian.org/src:git
95: https://www.debian.org/security/2025/dsa-5851
96: https://packages.debian.org/src:openjpeg2
97: https://www.debian.org/security/2025/dsa-5852
98: https://packages.debian.org/src:pdns-recursor
99: https://www.debian.org/security/2025/dsa-5853
100: https://packages.debian.org/src:pam-u2f
101: https://www.debian.org/security/2025/dsa-5854
102: https://packages.debian.org/src:bind9
103: https://www.debian.org/security/2025/dsa-5855
104: https://packages.debian.org/src:chromium
105: https://www.debian.org/security/2025/dsa-5856
106: https://packages.debian.org/src:redis
107: https://www.debian.org/security/2025/dsa-5857
108: https://packages.debian.org/src:openjdk-17
109: https://www.debian.org/security/2025/dsa-5858
110: https://packages.debian.org/src:firefox-esr
111: https://www.debian.org/security/2025/dsa-5859
112: https://packages.debian.org/src:chromium
113: https://www.debian.org/security/2025/dsa-5860
114: https://packages.debian.org/src:linux-signed-amd64
115: https://www.debian.org/security/2025/dsa-5860
116: https://packages.debian.org/src:linux-signed-arm64
117: https://www.debian.org/security/2025/dsa-5860
118: https://packages.debian.org/src:linux-signed-i386
119: https://www.debian.org/security/2025/dsa-5860
120: https://packages.debian.org/src:linux
121: https://www.debian.org/security/2025/dsa-5861
122: https://packages.debian.org/src:thunderbird
123: https://www.debian.org/security/2025/dsa-5862
124: https://packages.debian.org/src:cacti
125: https://www.debian.org/security/2025/dsa-5863
126: https://packages.debian.org/src:libtasn1-6
127: https://www.debian.org/security/2025/dsa-5864
128: https://packages.debian.org/src:pam-pkcs11
129: https://www.debian.org/security/2025/dsa-5865
130: https://packages.debian.org/src:webkit2gtk
131: https://www.debian.org/security/2025/dsa-5866
132: https://packages.debian.org/src:chromium
133: https://www.debian.org/security/2025/dsa-5867
134: https://packages.debian.org/src:gnutls28
135: https://www.debian.org/security/2025/dsa-5868
136: https://packages.debian.org/src:openssh
137: https://www.debian.org/security/2025/dsa-5869
138: https://packages.debian.org/src:chromium
139: https://www.debian.org/security/2025/dsa-5870
140: https://packages.debian.org/src:openh264
141: https://www.debian.org/security/2025/dsa-5871
142: https://packages.debian.org/src:emacs
143: https://www.debian.org/security/2025/dsa-5872
144: https://packages.debian.org/src:xorg-server
145: https://www.debian.org/security/2025/dsa-5873
146: https://packages.debian.org/src:libreoffice
147: https://www.debian.org/security/2025/dsa-5874
148: https://packages.debian.org/src:firefox-esr
149: https://www.debian.org/security/2025/dsa-5875
150: https://packages.debian.org/src:chromium
151: https://www.debian.org/security/2025/dsa-5876
152: https://packages.debian.org/src:thunderbird
Removed packages
----------------
The following packages were removed due to circumstances beyond our
control:
+---------------------------+----------------------------------------+
| Package | Reason |
+---------------------------+----------------------------------------+
| kanboard [153] | Unmaintained; security issues |
| | |
| libnet-easytcp-perl [154] | Unmaintained upstream; security issues |
| | |
| looking-glass [155] | Not suitable for a stable release |
| | |
+---------------------------+----------------------------------------+
153: https://packages.debian.org/src:kanboard
154: https://packages.debian.org/src:libnet-easytcp-perl
155: https://packages.debian.org/src:looking-glass
Debian Installer
----------------
The installer has been updated to include the fixes incorporated into
stable by the point release.
URLs
----
The complete lists of packages that have changed with this revision:
https://deb.debian.org/debian/dists/bookworm/ChangeLog
The current stable distribution:
https://deb.debian.org/debian/dists/stable/
Proposed updates to the stable distribution:
https://deb.debian.org/debian/dists/proposed-updates
stable distribution information (release notes, errata etc.):
https://www.debian.org/releases/stable/
Security announcements and information:
https://www.debian.org/security/
About Debian
------------
The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian.
Contact Information
-------------------
For further information, please visit the Debian web pages at
https://www.debian.org/, send mail to <press@debian.org>, or contact the
stable release team at <debian-release@lists.debian.org>.
Attachment:
signature.asc
Description: This is a digitally signed message part