----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 264-1 https://www.debian.org/
debian-release@lists.debian.org Jonathan Wiltshire
March 11th, 2025
----------------------------------------------------------------------------
Upcoming Debian 12 Update (12.10)
An update to Debian 12 is scheduled for Saturday, March 15th, 2025. As of now
it will include the following bug fixes. They can be found in "bookworm-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "bookworm-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
389-ds-base Fix crash when modifying userPassword using
malformed input [CVE-2024-2199 CVE-2024-8445];
prevent denial of service while attempting to
log in with a user with a malformed hash in
their password [CVE-2024-5953]; prevent denial
of service on the directory server with
specially-crafted LDAP query [CVE-2024-3657]
base-files Update for the point release
bup New upstream bugfix release
containerd Fix tests causing FTBFS on the auto-builder
network
curl Fix two possible credentials leakage issues
[CVE-2024-11053 CVE-2025-0167]; fix
test failures due to port clashes; fix unintended
HTTPS upgrades or premature reversion to HTTP
when both subdomains and parent domains are
used [CVE-2024-9681]; prevent stopping of
stunnel before retries in the built-time tests
dacite Do not cache result of get_default_value_for_field
dcmtk Fix issue when rendering an invalid monochrome
DICOM image [CVE-2024-47796]; ensure: HighBit <
BitsAllocated [CVE-2024-52333]; fix possible
overflows when allocating memory
[CVE-2024-27628]; fix two segmentation faults
[CVE-2024-34508 CVE-2024-34509]; fix arbitrary
code execution issue [CVE-2024-28130]; fix
buffer overflow issues [CVE-2025-25472
CVE-2025-25474]; fix NULL pointer dereference
issue [CVE-2025-25475]
debian-installer Increase Linux kernel ABI to 6.1.0-32; rebuild
against proposed-updates
debian-ports-archive-keyring
Add 2026 key; move 2023 and 2024 keys to the
removed keyring
dgit Add missing parameters for source upload target
djoser Fix authentication bypass [CVE-2024-21543]
dns-root-data Add the DNSKEY record for KSK-2024
edk2 Fix overflow condition in
PeCoffLoaderRelocateImage() [CVE-2024-38796];
fix potential UINT32 overflow in S3 ResumeCount
[CVE-2024-1298]
elpa Fix tests on machines with 2 vCPU or fewer
flightgear Fix sandbox bypass vulnerability in Nasal
scripts [CVE-2025-0781]
gensim Fix FTBFS on single-CPU machines
glibc Fix buffer overflow when printing assertion
failure message [CVE-2025-0395]; fix memset
performance for unaligned destinations; fix TLS
performance degradation after dlopen() usage;
avoid integer truncation when parsing CPUID
data with large cache sizes; ensure data passed
to the rseq syscall are properly initialized
golang-github-containers-buildah
Disable a test known to fail on the auto-
builder network, fixing FTBFS
intel-microcode New upstream security release [CVE-2023-34440
CVE-2023-43758 CVE-2024-24582 CVE-2024-28047
CVE-2024-28127 CVE-2024-29214 CVE-2024-31068
CVE-2024-31157 CVE-2024-36293 CVE-2024-37020
CVE-2024-39279 CVE-2024-39355]
iptables-netflow Fix build with newer bullseye kernels
jinja2 Fix arbitrary code execution issues
[CVE-2024-56201 CVE-2024-56326]
joblib Fix FTBFS on single-CPU systems
lemonldap-ng Fix CSRF vulnerability on 2FA registration
interface [CVE-2024-52948]
libapache-mod-jk Set correct default permissions for shared
memory [CVE-2024-46544]
libeconf Fix buffer overflow vulnerability
[CVE-2023-32181 CVE-2023-22652]
librabbitmq Add option to read username/password from file
[CVE-2023-35789]
libtar Fix out-of-bounds read in gnu_longlink()
[CVE-2021-33643]; fix out-of-bounds read in
gnu_longname() [CVE-2021-33644]; fix memory
leak in th_read() [CVE-2021-33645]; fix memory
leak in th_read() [CVE-2021-33646]
linux New upstream release; bump ABI to 32
linux-signed-amd64
linux-signed-arm64
linux-signed-i386
linuxcnc Fix multi axes movement on single axis G0 MDI
call
ltt-control Fix consumer crash on shutdown
lttng-modules Fix build with newer bullseye kernels
mariadb New upstream stable release; fix denial of
service issue [CVE-2025-21490]; fix security
issue [CVE-2024-21096]
monero Impose response limits on HTTP server
connections [CVE-2025-26819]
mozc Install fcitx icons to the correct locations
ndcube Ignore test warnings from astropy
nginx Fix possible bypass of client certificate
authentication [CVE-2025-23419]
node-axios Fix CSRF vulnerability [CVE-2023-45857]; fix
potential vulnerability in URL when determining
an origin [CVE-2024-57965]
node-js-sdsl Fix build failure
node-postcss Fix mishandling of non-integer values leading
to denial of service in nanoid
[CVE-2024-55565]; fix parsing of external
untrusted CSS [CVE-2023-44270]
node-recast Fix build failure
node-redis Fix build failure
node-rollup Fix FTBFS arising from changed timeout API
openh264 Fix Cisco download URL
php-nesbot-carbon Fix arbitrary file include issue
[CVE-2025-22145]
postgresql-15 New upstream release; harden PQescapeString and
allied functions against invalidly-encoded
strings; new upstream stable release; improve
behavior of libpq's quoting functions
[CVE-2025-1094]
puma Fix behaviour when parsing chunked transfer
encoding bodies and zero-length Content-Length
headers [CVE-2023-40175]; limit size of chunk
extensions [CVE-2024-21647]; prevent
manipulation of headers set by intermediate
proxies [CVE-2024-45614]
python-pycdlib Run tests only if /tmp is tmpfs, otherwise they
are known to fail
rapiddisk Support Linux versions up to 6.10
rsyslog Avoid segmentation fault if a SIGTERM is
received during startup
runit-services Do not enable dhclient service by default
seqan3 Fix parallel running of tests
simgear Fix sandbox bypass vulnerability in Nasal
scripts [CVE-2025-0781]
spamassassin New upstream stable release
sssd Apply GPO policy consistently [CVE-2023-3758]
subversion Fix vulnerable parsing of control characters in
paths served by mod_dav_svn [CVE-2024-46901]
sunpy Ignore test warnings from astropy
systemd New upstream stable release
tzdata New upstream release; update data for Paraguay;
update leap second information
vagrant Fix URL of public Vagrant registry
vim Fix crash when expanding "~" in substitute
[CVE-2023-2610]; fix buffer-overflow in
vim_regsub_both() [CVE-2023-4738]; fix heap use
after free in ins_compl_get_exp()
[CVE-2023-4752]; fix heap-buffer-overflow in
vim_regsub_both [CVE-2023-4781]; fix buffer-
overflow in trunc_string() [CVE-2023-5344]; fix
stack-buffer-overflow in option callback
functions [CVE-2024-22667]; fix heap-buffer-
overflow in ins_typebuf (CVE-2024-43802]; fix
use-after-free when closing a buffer
[CVE-2024-47814]; fix build failure on 32-bit
architectures
wget Fix mishandling of semicolons in userinfo in
URLs [CVE-2024-38428]
xen Allow direct kernel boot with kernels >= 6.12
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
libnet-easytcp-perl Unmaintained upstream; security issues
looking-glass Not suitable for a stable release
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: PGP signature