[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SUA 266-1] Upcoming Debian 12 Update (12.11)



----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 266-1         https://www.debian.org/
debian-release@lists.debian.org                              Adam D. Barratt
May 12th, 2025
----------------------------------------------------------------------------

Upcoming Debian 12 Update (12.11)

An update to Debian 12 is scheduled for Saturday, May 17th, 2025. As of now
it will include the following bug fixes. They can be found in "bookworm-
proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "bookworm-updates".

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.

The point release will also include a rebuild of debian-installer.


Miscellaneous Bugfixes
----------------------

This stable update adds a few important corrections to the following
packages:

  Package                    Reason
  -------                    ------

  adonthell                  Fix compatibility with SWIG 4.1

  base-files                 Update for the point release

  bash                       Rebuild for outdated Built-Using
                             (glibc/2.36-9+deb12u5)

  busybox                    Rebuild for outdated Built-Using (glibc/2.36-9)

  cdebootstrap               Rebuild for outdated Built-Using (glibc/2.36-9)

  chkrootkit                 Rebuild for outdated Built-Using
                             (glibc/2.36-9+deb12u5)

  crowdsec                   Rebuild for outdated Built-Using
                             (docker.io/20.10.24+dfsg1-1)

  dar                        Rebuild for outdated Built-Using
                             (glibc/2.36-9+deb12u5)

  debian-archive-keyring     Add archive signing and SRM keys for trixie
                             (Debian 13); move buster (Debian 10) keys to
                             removed keyring

  debian-security-support    Update list of packages receiving limited
                             support, or unsupported, in bookworm

  distro-info-data           Add Debian 15 and Ubuntu 25.10

  docker.io                  Rebuild for outdated Built-Using
                             (containerd/1.6.20~ds1-1, glibc/2.36-9+deb12u8)

  dpdk                       New upstream stable release

  fig2dev                    Reject huge pattern lengths [CVE-2025-31162];
                             reject arcs with co-incident points
                             [CVE-2025-31163]; allow an arc-box with zero
                             radius [CVE-2025-31164]

  fossil                     Fix interaction with an Apache HTTP server
                             including the fix for CVE-2024-24795

  gcc-12                     Fix -fstack-protector handling of overflows on
                             AArch64 [CVE-2023-4039]

  gcc-mingw-w64              Rebuild for outdated Built-Using
                             (gcc-12/12.2.0-13)

  glib2.0                    Fix integer overflow in
                             g_date_time_new_from_iso8601() [CVE-2025-3360]

  golang-github-containerd-  Rebuild for outdated Built-Using
    stargz-snapshotter       (containerd/1.6.20~ds1-1, runc/1.1.5+ds1-1)

  golang-github-containers-  Rebuild for outdated Built-Using
    buildah                  (containerd/1.6.20~ds1-1)

  golang-github-openshift-   Rebuild for outdated Built-Using
    imagebuilder             (containerd/1.6.20~ds1-1,
                             docker.io/20.10.24+dfsg1-1)

  haproxy                    Fix heap buffer overflow issue [CVE-2025-32464]

  igtf-policy-bundle         Backport current policy bundle

  imagemagick                Fix "MIFF image depth mishandled after
                             SetQuantumFormat" [CVE-2025-43965]

  initramfs-tools            Restore copy_file's handling of target ending
                             in slash; exclude usr-merge symlinks in
                             copy_file; add reset drivers when MODULES=dep

  krb5                       Fix memory leak in ndr.c [CVE-2024-26462];
                             prevent buffer overflow when calculating ulog
                             buffer size [CVE-2025-24528]

  libbson-xs-perl            Fix security issues in embedded copy of
                             libbson: denial of service [CVE-2017-14227];
                             buffer over-read [CVE-2018-16790]; infinite
                             loop [CVE-2023-0437]; memory corruption
                             [CVE-2024-6381]; buffer overflows
                             [CVE-2024-6383 CVE-2025-0755]

  libcap2                    Fix incorrect recognition of group names
                             [CVE-2025-1390]

  libdata-entropy-perl       Seed entropy pool with urandom by default
                             [CVE-2025-1860]

  libpod                     Rebuild for outdated Built-Using
                             (containerd/1.6.20~ds1-1,
                             docker.io/20.10.24+dfsg1-1, golang-github-
                             containers-buildah/1.28.2+ds1-3)

  libsub-handlesvia-perl     Fix arbitrary code execution issue
                             [CVE-2025-30673]

  linux                      New upstream release; bump ABI to 35

  linux-signed-amd64         New upstream release; bump ABI to 35

  linux-signed-arm64         New upstream release; bump ABI to 35

  linux-signed-i386          New upstream release; bump ABI to 35

  logcheck                   Respect removal of /etc/logcheck/header.txt

  mongo-c-driver             Fix infinite loop issue [CVE-2023-0437]; fix
                             integer overflow issue [CVE-2024-6381]; fix
                             buffer overflow issues [CVE-2024-6383
                             CVE-2025-0755]

  network-manager            Fix crash dereferencing NULL pointer during
                             debug logging [CVE-2024-6501]

  nginx                      Fix buffer underread and unordered chunk
                             vulnerabilities in mp4 [CVE-2024-7347]

  node-fstream-ignore        Fix build failure by not running tests in
                             parallel

  node-send                  Fix cross-site scripting issue [CVE-2024-43799]

  node-serialize-javascript  Fix cross-site scripting issue [CVE-2024-11831]

  nvidia-graphics-drivers    New upstream stable release; remove ppc64el
                             support (migrated to src:nvidia-graphics-
                             drivers-tesla-535); fix build issues with newer
                             kernel versions; security fixes [CVE-2024-0131
                             CVE-2024-0147 CVE-2024-0149 CVE-2024-0150
                             CVE-2024-53869 CVE-2025-23244]

  nvidia-graphics-drivers-   New upstream stable release; transition to
    tesla                    packages from src:nvidia-graphics-drivers-
                             tesla-535 on ppc64el; fix build issues with
                             newer kernel versions

  nvidia-graphics-drivers-   New package for the now EOL ppc64el support
    tesla-535

  nvidia-open-gpu-kernel-    New upstream stable release; security fixes
    modules                  [CVE-2024-0131 CVE-2024-0147 CVE-2024-0149
                             CVE-2024-0150 CVE-2024-53869 CVE-2025-23244]

  nvidia-settings            New upstream stable release; drop support for
                             some obsolete packages; relax the nvidia-
                             alternative dependency to a suggestion on
                             ppc64el

  openrazer                  Fix out of bounds read issue [CVE-2025-32776]

  opensnitch                 Rebuild for outdated Built-Using (golang-
                             github-google-nftables/0.1.0-3)

  openssh                    Fix the DisableForwarding directive
                             [CVE-2025-32728]

  openssl                    New upstream stable release; fix timing side
                             channel issue [CVE-2024-13176]

  openvpn                    Avoid possible ASSERT() on OpenVPN servers
                             using --tls-crypt-v2 [CVE-2025-2704]; prevent
                             malicious peer DoS or log-flooding
                             [CVE-2024-5594]; refuse multiple exit
                             notifications from authenticated clients
                             [CVE-2024-28882]; update expired certificates
                             in build tests

  phpmyadmin                 Fix XSS vulnerabilities [CVE-2025-24529
                             CVE-2025-24530]

  policyd-rate-limit         Fix startup with newer python3-yaml

  poppler                    Fix crash on malformed files [CVE-2023-34872];
                             fix out-of-bounds read issues [CVE-2024-56378
                             CVE-2025-32365]; fix floating point exception
                             issue [CVE-2025-32364]

  postgresql-15              New upstream stable release; fix buffer over-
                             read issue [CVE-2025-4207]

  prometheus                 Rebuild for outdated Built-Using
                             (docker.io/20.10.24+dfsg1-1)

  prometheus-postfix-        Rebuild for outdated Built-Using
    exporter                 (docker.io/20.10.24+dfsg1-1)

  python-h11                 Fix request smuggling issue [CVE-2025-43859]

  python3.11                 Fix misparsing issues [CVE-2025-0938
                             CVE-2025-1795]

  qemu                       New upstream bugfix release

  qtbase-opensource-src      Delay HTTP2 communication until encrypted() can
                             be responded to [CVE-2024-39936]; fix crash
                             with null checks in table iface methods

  redis                      Fix denial of service issue [CVE-2025-21605]

  renaissance                Avoid exception on startup

  sash                       Rebuild for outdated Built-Using (glibc/2.36-9)

  shadow                     Fix password leak issue [CVE-2023-4641]; fix
                             chfn control character injection issue
                             [CVE-2023-29383]

  skeema                     Rebuild for outdated Built-Using
                             (containerd/1.6.20~ds1-1,
                             docker.io/20.10.24+dfsg1-1)

  skopeo                     Rebuild for outdated Built-Using
                             (docker.io/20.10.24+dfsg1-1)

  telegram-desktop           Rebuild for outdated Built-Using (ms-
                             gsl/4.0.0-2)

  tripwire                   Rebuild for outdated Built-Using
                             (glibc/2.36-9+deb12u5)

  twitter-bootstrap3         Fix cross-site scripting issues [CVE-2024-6485
                             CVE-2024-6484]

  twitter-bootstrap4         Fix cross-site scripting issue [CVE-2024-6531]

  tzdata                     New America/Coyhaique zone for Aysén Region in
                             Chile

  user-mode-linux            Rebuild for outdated Built-Using
                             (linux/6.1.82-1)

  varnish                    Prevent HTTP/1 client-side desync
                             [CVE-2025-30346]

  wireless-regdb             New upstream release

  xmedcon                    Fix buffer overflow [CVE-2025-2581]

  zsh                        Rebuild for outdated Built-Using
                             (glibc/2.36-9+deb12u5, libcap2/1:2.66-4)


A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:

  <https://release.debian.org/proposed-updates/stable.html>


Removed packages
----------------

The following packages will be removed due to circumstances beyond our
control:

  Package                    Reason
  -------                    ------

  viagee                     No longer able to connect to gmail


If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".

Attachment: signature.asc
Description: This is a digitally signed message part


Reply to: