---------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 266-1 https://www.debian.org/ debian-release@lists.debian.org Adam D. Barratt May 12th, 2025 ---------------------------------------------------------------------------- Upcoming Debian 12 Update (12.11) An update to Debian 12 is scheduled for Saturday, May 17th, 2025. As of now it will include the following bug fixes. They can be found in "bookworm- proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "bookworm-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "debian-release@lists.debian.org" on your mails. The point release will also include a rebuild of debian-installer. Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: Package Reason ------- ------ adonthell Fix compatibility with SWIG 4.1 base-files Update for the point release bash Rebuild for outdated Built-Using (glibc/2.36-9+deb12u5) busybox Rebuild for outdated Built-Using (glibc/2.36-9) cdebootstrap Rebuild for outdated Built-Using (glibc/2.36-9) chkrootkit Rebuild for outdated Built-Using (glibc/2.36-9+deb12u5) crowdsec Rebuild for outdated Built-Using (docker.io/20.10.24+dfsg1-1) dar Rebuild for outdated Built-Using (glibc/2.36-9+deb12u5) debian-archive-keyring Add archive signing and SRM keys for trixie (Debian 13); move buster (Debian 10) keys to removed keyring debian-security-support Update list of packages receiving limited support, or unsupported, in bookworm distro-info-data Add Debian 15 and Ubuntu 25.10 docker.io Rebuild for outdated Built-Using (containerd/1.6.20~ds1-1, glibc/2.36-9+deb12u8) dpdk New upstream stable release fig2dev Reject huge pattern lengths [CVE-2025-31162]; reject arcs with co-incident points [CVE-2025-31163]; allow an arc-box with zero radius [CVE-2025-31164] fossil Fix interaction with an Apache HTTP server including the fix for CVE-2024-24795 gcc-12 Fix -fstack-protector handling of overflows on AArch64 [CVE-2023-4039] gcc-mingw-w64 Rebuild for outdated Built-Using (gcc-12/12.2.0-13) glib2.0 Fix integer overflow in g_date_time_new_from_iso8601() [CVE-2025-3360] golang-github-containerd- Rebuild for outdated Built-Using stargz-snapshotter (containerd/1.6.20~ds1-1, runc/1.1.5+ds1-1) golang-github-containers- Rebuild for outdated Built-Using buildah (containerd/1.6.20~ds1-1) golang-github-openshift- Rebuild for outdated Built-Using imagebuilder (containerd/1.6.20~ds1-1, docker.io/20.10.24+dfsg1-1) haproxy Fix heap buffer overflow issue [CVE-2025-32464] igtf-policy-bundle Backport current policy bundle imagemagick Fix "MIFF image depth mishandled after SetQuantumFormat" [CVE-2025-43965] initramfs-tools Restore copy_file's handling of target ending in slash; exclude usr-merge symlinks in copy_file; add reset drivers when MODULES=dep krb5 Fix memory leak in ndr.c [CVE-2024-26462]; prevent buffer overflow when calculating ulog buffer size [CVE-2025-24528] libbson-xs-perl Fix security issues in embedded copy of libbson: denial of service [CVE-2017-14227]; buffer over-read [CVE-2018-16790]; infinite loop [CVE-2023-0437]; memory corruption [CVE-2024-6381]; buffer overflows [CVE-2024-6383 CVE-2025-0755] libcap2 Fix incorrect recognition of group names [CVE-2025-1390] libdata-entropy-perl Seed entropy pool with urandom by default [CVE-2025-1860] libpod Rebuild for outdated Built-Using (containerd/1.6.20~ds1-1, docker.io/20.10.24+dfsg1-1, golang-github- containers-buildah/1.28.2+ds1-3) libsub-handlesvia-perl Fix arbitrary code execution issue [CVE-2025-30673] linux New upstream release; bump ABI to 35 linux-signed-amd64 New upstream release; bump ABI to 35 linux-signed-arm64 New upstream release; bump ABI to 35 linux-signed-i386 New upstream release; bump ABI to 35 logcheck Respect removal of /etc/logcheck/header.txt mongo-c-driver Fix infinite loop issue [CVE-2023-0437]; fix integer overflow issue [CVE-2024-6381]; fix buffer overflow issues [CVE-2024-6383 CVE-2025-0755] network-manager Fix crash dereferencing NULL pointer during debug logging [CVE-2024-6501] nginx Fix buffer underread and unordered chunk vulnerabilities in mp4 [CVE-2024-7347] node-fstream-ignore Fix build failure by not running tests in parallel node-send Fix cross-site scripting issue [CVE-2024-43799] node-serialize-javascript Fix cross-site scripting issue [CVE-2024-11831] nvidia-graphics-drivers New upstream stable release; remove ppc64el support (migrated to src:nvidia-graphics- drivers-tesla-535); fix build issues with newer kernel versions; security fixes [CVE-2024-0131 CVE-2024-0147 CVE-2024-0149 CVE-2024-0150 CVE-2024-53869 CVE-2025-23244] nvidia-graphics-drivers- New upstream stable release; transition to tesla packages from src:nvidia-graphics-drivers- tesla-535 on ppc64el; fix build issues with newer kernel versions nvidia-graphics-drivers- New package for the now EOL ppc64el support tesla-535 nvidia-open-gpu-kernel- New upstream stable release; security fixes modules [CVE-2024-0131 CVE-2024-0147 CVE-2024-0149 CVE-2024-0150 CVE-2024-53869 CVE-2025-23244] nvidia-settings New upstream stable release; drop support for some obsolete packages; relax the nvidia- alternative dependency to a suggestion on ppc64el openrazer Fix out of bounds read issue [CVE-2025-32776] opensnitch Rebuild for outdated Built-Using (golang- github-google-nftables/0.1.0-3) openssh Fix the DisableForwarding directive [CVE-2025-32728] openssl New upstream stable release; fix timing side channel issue [CVE-2024-13176] openvpn Avoid possible ASSERT() on OpenVPN servers using --tls-crypt-v2 [CVE-2025-2704]; prevent malicious peer DoS or log-flooding [CVE-2024-5594]; refuse multiple exit notifications from authenticated clients [CVE-2024-28882]; update expired certificates in build tests phpmyadmin Fix XSS vulnerabilities [CVE-2025-24529 CVE-2025-24530] policyd-rate-limit Fix startup with newer python3-yaml poppler Fix crash on malformed files [CVE-2023-34872]; fix out-of-bounds read issues [CVE-2024-56378 CVE-2025-32365]; fix floating point exception issue [CVE-2025-32364] postgresql-15 New upstream stable release; fix buffer over- read issue [CVE-2025-4207] prometheus Rebuild for outdated Built-Using (docker.io/20.10.24+dfsg1-1) prometheus-postfix- Rebuild for outdated Built-Using exporter (docker.io/20.10.24+dfsg1-1) python-h11 Fix request smuggling issue [CVE-2025-43859] python3.11 Fix misparsing issues [CVE-2025-0938 CVE-2025-1795] qemu New upstream bugfix release qtbase-opensource-src Delay HTTP2 communication until encrypted() can be responded to [CVE-2024-39936]; fix crash with null checks in table iface methods redis Fix denial of service issue [CVE-2025-21605] renaissance Avoid exception on startup sash Rebuild for outdated Built-Using (glibc/2.36-9) shadow Fix password leak issue [CVE-2023-4641]; fix chfn control character injection issue [CVE-2023-29383] skeema Rebuild for outdated Built-Using (containerd/1.6.20~ds1-1, docker.io/20.10.24+dfsg1-1) skopeo Rebuild for outdated Built-Using (docker.io/20.10.24+dfsg1-1) telegram-desktop Rebuild for outdated Built-Using (ms- gsl/4.0.0-2) tripwire Rebuild for outdated Built-Using (glibc/2.36-9+deb12u5) twitter-bootstrap3 Fix cross-site scripting issues [CVE-2024-6485 CVE-2024-6484] twitter-bootstrap4 Fix cross-site scripting issue [CVE-2024-6531] tzdata New America/Coyhaique zone for Aysén Region in Chile user-mode-linux Rebuild for outdated Built-Using (linux/6.1.82-1) varnish Prevent HTTP/1 client-side desync [CVE-2025-30346] wireless-regdb New upstream release xmedcon Fix buffer overflow [CVE-2025-2581] zsh Rebuild for outdated Built-Using (glibc/2.36-9+deb12u5, libcap2/1:2.66-4) A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/stable.html> Removed packages ---------------- The following packages will be removed due to circumstances beyond our control: Package Reason ------- ------ viagee No longer able to connect to gmail If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part