----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 266-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
May 12th, 2025
----------------------------------------------------------------------------
Upcoming Debian 12 Update (12.11)
An update to Debian 12 is scheduled for Saturday, May 17th, 2025. As of now
it will include the following bug fixes. They can be found in "bookworm-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "bookworm-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
adonthell Fix compatibility with SWIG 4.1
base-files Update for the point release
bash Rebuild for outdated Built-Using
(glibc/2.36-9+deb12u5)
busybox Rebuild for outdated Built-Using (glibc/2.36-9)
cdebootstrap Rebuild for outdated Built-Using (glibc/2.36-9)
chkrootkit Rebuild for outdated Built-Using
(glibc/2.36-9+deb12u5)
crowdsec Rebuild for outdated Built-Using
(docker.io/20.10.24+dfsg1-1)
dar Rebuild for outdated Built-Using
(glibc/2.36-9+deb12u5)
debian-archive-keyring Add archive signing and SRM keys for trixie
(Debian 13); move buster (Debian 10) keys to
removed keyring
debian-security-support Update list of packages receiving limited
support, or unsupported, in bookworm
distro-info-data Add Debian 15 and Ubuntu 25.10
docker.io Rebuild for outdated Built-Using
(containerd/1.6.20~ds1-1, glibc/2.36-9+deb12u8)
dpdk New upstream stable release
fig2dev Reject huge pattern lengths [CVE-2025-31162];
reject arcs with co-incident points
[CVE-2025-31163]; allow an arc-box with zero
radius [CVE-2025-31164]
fossil Fix interaction with an Apache HTTP server
including the fix for CVE-2024-24795
gcc-12 Fix -fstack-protector handling of overflows on
AArch64 [CVE-2023-4039]
gcc-mingw-w64 Rebuild for outdated Built-Using
(gcc-12/12.2.0-13)
glib2.0 Fix integer overflow in
g_date_time_new_from_iso8601() [CVE-2025-3360]
golang-github-containerd- Rebuild for outdated Built-Using
stargz-snapshotter (containerd/1.6.20~ds1-1, runc/1.1.5+ds1-1)
golang-github-containers- Rebuild for outdated Built-Using
buildah (containerd/1.6.20~ds1-1)
golang-github-openshift- Rebuild for outdated Built-Using
imagebuilder (containerd/1.6.20~ds1-1,
docker.io/20.10.24+dfsg1-1)
haproxy Fix heap buffer overflow issue [CVE-2025-32464]
igtf-policy-bundle Backport current policy bundle
imagemagick Fix "MIFF image depth mishandled after
SetQuantumFormat" [CVE-2025-43965]
initramfs-tools Restore copy_file's handling of target ending
in slash; exclude usr-merge symlinks in
copy_file; add reset drivers when MODULES=dep
krb5 Fix memory leak in ndr.c [CVE-2024-26462];
prevent buffer overflow when calculating ulog
buffer size [CVE-2025-24528]
libbson-xs-perl Fix security issues in embedded copy of
libbson: denial of service [CVE-2017-14227];
buffer over-read [CVE-2018-16790]; infinite
loop [CVE-2023-0437]; memory corruption
[CVE-2024-6381]; buffer overflows
[CVE-2024-6383 CVE-2025-0755]
libcap2 Fix incorrect recognition of group names
[CVE-2025-1390]
libdata-entropy-perl Seed entropy pool with urandom by default
[CVE-2025-1860]
libpod Rebuild for outdated Built-Using
(containerd/1.6.20~ds1-1,
docker.io/20.10.24+dfsg1-1, golang-github-
containers-buildah/1.28.2+ds1-3)
libsub-handlesvia-perl Fix arbitrary code execution issue
[CVE-2025-30673]
linux New upstream release; bump ABI to 35
linux-signed-amd64 New upstream release; bump ABI to 35
linux-signed-arm64 New upstream release; bump ABI to 35
linux-signed-i386 New upstream release; bump ABI to 35
logcheck Respect removal of /etc/logcheck/header.txt
mongo-c-driver Fix infinite loop issue [CVE-2023-0437]; fix
integer overflow issue [CVE-2024-6381]; fix
buffer overflow issues [CVE-2024-6383
CVE-2025-0755]
network-manager Fix crash dereferencing NULL pointer during
debug logging [CVE-2024-6501]
nginx Fix buffer underread and unordered chunk
vulnerabilities in mp4 [CVE-2024-7347]
node-fstream-ignore Fix build failure by not running tests in
parallel
node-send Fix cross-site scripting issue [CVE-2024-43799]
node-serialize-javascript Fix cross-site scripting issue [CVE-2024-11831]
nvidia-graphics-drivers New upstream stable release; remove ppc64el
support (migrated to src:nvidia-graphics-
drivers-tesla-535); fix build issues with newer
kernel versions; security fixes [CVE-2024-0131
CVE-2024-0147 CVE-2024-0149 CVE-2024-0150
CVE-2024-53869 CVE-2025-23244]
nvidia-graphics-drivers- New upstream stable release; transition to
tesla packages from src:nvidia-graphics-drivers-
tesla-535 on ppc64el; fix build issues with
newer kernel versions
nvidia-graphics-drivers- New package for the now EOL ppc64el support
tesla-535
nvidia-open-gpu-kernel- New upstream stable release; security fixes
modules [CVE-2024-0131 CVE-2024-0147 CVE-2024-0149
CVE-2024-0150 CVE-2024-53869 CVE-2025-23244]
nvidia-settings New upstream stable release; drop support for
some obsolete packages; relax the nvidia-
alternative dependency to a suggestion on
ppc64el
openrazer Fix out of bounds read issue [CVE-2025-32776]
opensnitch Rebuild for outdated Built-Using (golang-
github-google-nftables/0.1.0-3)
openssh Fix the DisableForwarding directive
[CVE-2025-32728]
openssl New upstream stable release; fix timing side
channel issue [CVE-2024-13176]
openvpn Avoid possible ASSERT() on OpenVPN servers
using --tls-crypt-v2 [CVE-2025-2704]; prevent
malicious peer DoS or log-flooding
[CVE-2024-5594]; refuse multiple exit
notifications from authenticated clients
[CVE-2024-28882]; update expired certificates
in build tests
phpmyadmin Fix XSS vulnerabilities [CVE-2025-24529
CVE-2025-24530]
policyd-rate-limit Fix startup with newer python3-yaml
poppler Fix crash on malformed files [CVE-2023-34872];
fix out-of-bounds read issues [CVE-2024-56378
CVE-2025-32365]; fix floating point exception
issue [CVE-2025-32364]
postgresql-15 New upstream stable release; fix buffer over-
read issue [CVE-2025-4207]
prometheus Rebuild for outdated Built-Using
(docker.io/20.10.24+dfsg1-1)
prometheus-postfix- Rebuild for outdated Built-Using
exporter (docker.io/20.10.24+dfsg1-1)
python-h11 Fix request smuggling issue [CVE-2025-43859]
python3.11 Fix misparsing issues [CVE-2025-0938
CVE-2025-1795]
qemu New upstream bugfix release
qtbase-opensource-src Delay HTTP2 communication until encrypted() can
be responded to [CVE-2024-39936]; fix crash
with null checks in table iface methods
redis Fix denial of service issue [CVE-2025-21605]
renaissance Avoid exception on startup
sash Rebuild for outdated Built-Using (glibc/2.36-9)
shadow Fix password leak issue [CVE-2023-4641]; fix
chfn control character injection issue
[CVE-2023-29383]
skeema Rebuild for outdated Built-Using
(containerd/1.6.20~ds1-1,
docker.io/20.10.24+dfsg1-1)
skopeo Rebuild for outdated Built-Using
(docker.io/20.10.24+dfsg1-1)
telegram-desktop Rebuild for outdated Built-Using (ms-
gsl/4.0.0-2)
tripwire Rebuild for outdated Built-Using
(glibc/2.36-9+deb12u5)
twitter-bootstrap3 Fix cross-site scripting issues [CVE-2024-6485
CVE-2024-6484]
twitter-bootstrap4 Fix cross-site scripting issue [CVE-2024-6531]
tzdata New America/Coyhaique zone for Aysén Region in
Chile
user-mode-linux Rebuild for outdated Built-Using
(linux/6.1.82-1)
varnish Prevent HTTP/1 client-side desync
[CVE-2025-30346]
wireless-regdb New upstream release
xmedcon Fix buffer overflow [CVE-2025-2581]
zsh Rebuild for outdated Built-Using
(glibc/2.36-9+deb12u5, libcap2/1:2.66-4)
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
viagee No longer able to connect to gmail
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part