----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 274-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
September 2nd, 2025
----------------------------------------------------------------------------
Upcoming Debian 12 Update (12.12)
An update to Debian 12 is scheduled for Saturday, September 6th, 2025. As of
now it will include the following bug fixes. They can be found in "bookworm-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "bookworm-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This oldstable update adds a few important corrections to the following
packages:
Package Reason
------- ------
amd64-microcode Update AMD-SEV firmware [CVE-2024-56161];
update included microcode
aom Fix libaom encoder output validity
apache2 New upstream stable release; fix HTTP response
splitting issue [CVE-2024-42516]; fix server-
side request forgery issue [CVE-2024-43204
CVE-2024-43394]; fix log injection issue
[CVE-2024-47252]; fix access control bypass
issue [CVE-2025-23048]; fix denial of service
issue [CVE-2025-49630]; fix potential man-in-
the-middle issue [CVE-2025-49812]; fix memory
lifetime management issue [CVE-2025-53020]
b43-fwcutter Update firmware URL
balboa Rebuild against glibc 2.36-9+deb12u12
base-files Update for the point release
bash Rebuild against glibc 2.36-9+deb12u12
botan Fix denial of service issues [CVE-2024-34702
CVE-2024-34703]; fix improper parsing of name
constraints [CVE-2024-39312]; fix compiler-
induced secret-dependent operation issue
[CVE-2024-50383]
busybox Rebuild against glibc 2.36-9+deb12u12
ca-certificates Add Sectigo Public Server Authentication Root
E46 and Sectigo Public Server Authentication
Root R46
catatonit Rebuild against glibc 2.36-9+deb12u12
cdebootstrap Rebuild against glibc 2.36-9+deb12u12
chkrootkit Rebuild against glibc 2.36-9+deb12u12
cjson Fix denial of service issue [CVE-2023-26819];
fix heap buffer overflow issue [CVE-2023-53154]
clamav New upstream stable release; fix buffer
overflow issues [CVE-2025-20128 CVE-2025-20260]
cloud-init Make hotplug socket writable only by root
[CVE-2024-11584]; don't attempt to identify
non-x86 OpenStack instances [CVE-2024-6174]
commons-beanutils Fix improper access control issue
[CVE-2025-48734]
commons-vfs Fix path traversal issue [CVE-2025-27553]
corosync Fix buffer overflow vulnerability on large UDP
packets [CVE-2025-30472]
criu Fix restore functionality of mount namespaces
with newer kernel versions
curl Fix regression handling sftp://host/~ URIs; fix
a memory leak
dar Rebuild against glibc 2.36-9+deb12u12
debian-edu-config Fix quoting in Exim configuration; gosa-sync:
fix password verification; fix quoting in
gosa.conf
debian-security-support Query source:Package instead of Source to get
the correct list of packages; fix typo related
to gobgp
distro-info-data Add Ubuntu end of Legacy Support dates; add
release and estimated EoL for trixie
djvulibre Fix denial of service issues [CVE-2021-46310
CVE-2021-46312]
docker.io Rebuild against glibc 2.36-9+deb12u12
dpdk New upstream stable release
dropbear Fix shell injection vulnerability in multihop
handling [CVE-2025-47203]
e2fsprogs Rebuild against glibc 2.36-9+deb12u12
erlang ssh: fix strict KEX hardening [CVE-2025-46712];
zip: sanitize pathnames when extracting files
with absolute pathnames [CVE-2025-4748]; fix
documentation build failure with newer xsltproc
versions
expat Fix denial of service issues [CVE-2023-52425
CVE-2024-8176]; fix parser crash
[CVE-2024-50602]
fig2dev Detect nan in spline control values
[CVE-2025-46397]; permit \0 in 2nd line in fig
file [CVE-2025-46398]; ge output: correct
spline computation [CVE-2025-46399]; reject
arcs with a radius smaller than 3
[CVE-2025-46400]
firebird3.0 Fix NULL pointer dereference issue
[CVE-2025-54989]
fort-validator Fix denial of service issues [CVE-2024-45234
CVE-2024-45235 CVE-2024-45236 CVE-2024-45238
CVE-2024-45239 CVE-2024-48943]; fix buffer
overflow issue [CVE-2024-45237]
galera-4 New upstream stable release
glib2.0 Fix buffer underflow issue [CVE-2025-4373
CVE-2025-7039]; improve upgrade safety
glibc Fix incorrect LD_LIBRARY_PATH search in dlopen
for static setuid binaries [CVE-2025-4802];
improve memory layout of structures in
exp/exp10/expf functions; add an SVE
implementation of memset on aarch64; improve
generic implementation of memset on aarch64;
fix double free issue [CVE-2025-8058]
gnupg2 Fix recommends of architecture-any packages on
architecture-all package to support binNMUs
golang-github-gin-contrib- Fix mishandling of wildcards [CVE-2019-25211]
cors
gst-plugins-base1.0 Fix buffer overrun issue [CVE-2025-47806]; fix
NULL pointer dereference issues [CVE-2025-47807
CVE-2025-47808]
gst-plugins-good1.0 Fix possible information disclosure issue
[CVE-2025-47219]
init-system-helpers Fix handling of os-release diversions from
live-build, ensuring they don't exist in non-
live systems
insighttoolkit4 Fix build on systems with a single CPU
insighttoolkit5 Fix build on systems with a single CPU
integrit Rebuild against glibc 2.36-9+deb12u12
iperf3 Fix buffer overflow issue [CVE-2025-54349]; fix
assertion failure [CVE-2025-54350]
jinja2 Fix arbitrary code execution issue
[CVE-2025-27516]
jq Zero-terminate string in jv.c [CVE-2025-48060]
kexec-tools Remove no longer required dependencies
kmail-account-wizard Fix man in the middle attack issue
[CVE-2024-50624]
krb5 Fix message tampering issue [CVE-2025-3576];
disable issuance of tickets using RC4 or
triple-DES session keys by default
kubernetes Sanitise raw data output to terminal
[CVE-2021-25743]; hide long and multi-line
strings when printing
libarchive Fix integer overflow issues [CVE-2025-5914
CVE-2025-5916], buffer over read issue
[CVE-2025-5915], buffer overlow issue
[CVE-2025-5917]
libbpf Fix operation with newer systemd versions
libcap2 Rebuild against glibc 2.36-9+deb12u12; add
missing Built-Using: glibc
libcgi-simple-perl Fix HTTP response splitting issue
[CVE-2025-40927]
libfcgi Fix integer overflow issue [CVE-2025-23016]
libfile-tail-perl Fix uninitialized variable issue
libphp-adodb Fix SQL injection vulnerability in
pg_insert_id() [CVE-2025-46337]
libraw Fix out-of-bounds read issues [CVE-2025-43961
CVE-2025-43962 CVE-2025-43963]; enforce minimum
w0 and w1 values [CVE-2025-43964]
libreoffice Add EUR support for Bulgaria
libsndfile Fix integer overflow issues [CVE-2022-33065];
fix out of bounds read issue [CVE-2024-50612]
libsoup3 New upstream bug-fix release; fix buffer
overrun issue [CVE-2024-52531]; fix denial of
service issues [CVE-2024-52532 CVE-2025-32051];
fix heap overflow issues [CVE-2025-32052
CVE-2025-32053]; fix integer overflow issue
[CVE-2025-32050]; fix heap buffer overflow
issues [CVE-2025-2784]; reject HTTP headers if
they contain null bytes [CVE-2024-52530]; fix
denial of service issues [CVE-2025-32909
CVE-2025-32910 CVE-2025-46420 CVE-2025-32912
CVE-2025-32906]; fix memory management issues
[CVE-2025-32911 CVE-2025-32913]; fix credential
disclosure issue [CVE-2025-46421]; fix use-
after-free during disconnection, which can
cause GNOME Calculator to hang at startup; fix
a test failure on some 32-bit systems
libtheora Prevent segfault during decoder initialisation;
avoid possible bit-shifting in decoder
libtpms Fix out of bounds read issue [CVE-2025-49133]
libxml2 Fix integer overflow issue in xmlBuildQName
[CVE-2025-6021]; fix potential buffer overflows
in the interactive shell [CVE-2025-6170]; fix
use-after-free issue in
xmlSchematronReportOutput [CVE-2025-49794]; fix
type confusion issue in
xmlSchematronReportOutput [CVE-2025-49796]
libyaml-libyaml-perl Fix arbitrary file edit issue [CVE-2025-40908]
lintian Add bookworm to duke to the list of known
Debian release names; don't emit source-nmu-
has-incorrect-version-number for stable updates
linux New upstream stable release; increase ABI to 39
linux-signed-amd64 New upstream stable release; increase ABI to 39
linux-signed-arm64 New upstream stable release; increase ABI to 39
linux-signed-i386 New upstream stable release; increase ABI to 39
llvm-toolchain-19 New upstream stable release
luajit Fix buffer overflow issue [CVE-2024-25176]; fix
denial of service issue [CVE-2024-25177]; fix
out-of-bounds read issue [CVE-2024-25178]
lxc Rebuild against glibc 2.36-9+deb12u12
mailgraph Update embedded copy of Parse::Syslog, enabling
support for RFC3339 dates
mariadb New upstream stable release; security fixes
[CVE-2023-52969 CVE-2023-52970 CVE-2023-52971
CVE-2025-30693 CVE-2025-30722]; fix restart
after out of memory
mkchromecast Replace youtube-dl with yt-dlp
mlt Fix Python scripts
mono Remove unneeded (and broken) mono-source package
mosquitto Fix memory leak issue [CVE-2023-28366]; fix out
of bounds memory access issue [CVE-2024-10525];
fix double free issue [CVE-2024-3935]; fix
possible segmentation fault issue
[CVE-2024-8376]
multipath-tools Reinstate ANA prioritizer in build process
nextcloud-desktop Fix share options in graphical interface
nginx Fix potential information leak in
ngx_mail_smtp_module [CVE-2025-53859]
node-addon-api Add support for nodejs >= 18.20
node-csstype Fix build failure
node-form-data Fix insufficient randomness issue
[CVE-2025-7783]
node-minipass Fix tap reporter in auto test and autopkgtest
node-nodeunit Fix test flakiness
node-tar-fs Fix path traversal issues [CVE-2024-12905
CVE-2025-48387]
node-tmp Fix arbitrary file write issue [CVE-2025-54798]
nvda2speechd Fix required rmp-serde version
openjpeg2 Fix NULL pointer dereference issue
[CVE-2025-50952]
openssh Handle OpenSSL >= 3 ABI compatibility to avoid
new SSH connections failing during upgrades to
trixie
openssl New upstream stable release; revert some
upstream changes to avoid crashes in downstream
software
perl Fix TLS certificate verification issue
[CVE-2023-31484]; fix non thread safe file
access [CVE-2025-40909]
postgresql-15 New upstream stable release; tighten security
checks in planner estimation functions
[CVE-2025-8713]; prevent pg_dump scripts from
being used to attack the user running the
restore [CVE-2025-8714]; convert newlines to
spaces in names included in comments in pg_dump
output [CVE-2025-8715]
postgresql-common PgCommon.pm: Set defined path in prepare_exec.
Fixes compatibility with trixie's perl version
prody Fix build failure; add tolerance to some tests
which now fail on i386
python-django Fix regular expression-based denial of service
issue [CVE-2023-36053], denial of service
issues [CVE-2024-38875 CVE-2024-39614
CVE-2024-41990 CVE-2024-41991], user
enumeration issue [CVE-2024-39329], directory
traversal issue [CVE-2024-39330], excessive
memory consumption issue [CVE-2024-41989], SQL
injection issue [CVE-2024-42005]
python-flask-cors Fix log data injection issue [CVE-2024-1681];
fix improper path processing issues
[CVE-2024-6866 CVE-2024-6839 CVE-2024-6844]
python-mitogen Support targets with Python >= 3.12
python-zipp Fix denial of service issue [CVE-2024-5569]
qemu Rebuild against glibc 2.36-9+deb12u12; new
upstream bugfix release
raptor2 Fix integer underflow issue [CVE-2024-57823];
fix heap read buffer overflow issue
[CVE-2024-57822]
rar New upstream release; fix ANSI escape injection
issue [CVE-2024-33899]
rubygems Fix credential leak issue [CVE-2025-27221]; fix
regular expression related denial of service
issue [CVE-2023-28755]
rust-cbindgen-web Rebuild against current rustc-web
rustc-web New upstream stable release, to support building
of newer Chromium versions
samba Fix various bugs following a change to
Microsoft Active Directory
sash Rebuild against glibc 2.36-9+deb12u12
setuptools Fix arbitrary file write issue [CVE-2025-47273]
shaarli Fix cross site scripting issue [CVE-2025-55291]
simplesamlphp Fix signature verification issue
[CVE-2025-27773]
snapd Rebuild against glibc 2.36-9+deb12u12
sqlite3 Fix memory corruption issue [CVE-2025-6965];
fix bug in NOT NULL/IS NULL optimization that
can cause invalid data
supermin Rebuild against glibc 2.36-9+deb12u12
systemd New upstream stable release
tini Rebuild against glibc 2.36-9+deb12u12
tripwire Rebuild against glibc 2.36-9+deb12u12
tsocks Rebuild against glibc 2.36-9+deb12u12
tzdata Confirm leap second status for 2025
usb.ids New upstream update
waitress Fix race condition in HTTP pipelining
[CVE-2024-49768]; fix denial of service issue
[CVE-2024-49769]
webpy Fix SQL injection issue [CVE-2025-3818]
wireless-regdb New upstream release, updating included
regulatory data; permit 320 MHz bandwidth in 6
GHz band for GB
wolfssl Fix insufficient randomisation issue
[CVE-2025-7394]
wpa Fix inappropriate reuse of PKEX elements
[CVE-2022-37660]
xfce4-weather-plugin Migrate to new APIs; update translations
xrdp Fix session restrictions bypass issue
[CVE-2023-40184]; fix out-of-bounds read issue
[CVE-2023-42822]; fix login restrictions bypass
issue [CVE-2024-39917]
ydotool Rebuild against glibc 2.36-9+deb12u12
zsh Rebuild against glibc 2.36-9+deb12u12
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/oldstable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
guix Unsupportable; security issues
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part