----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 276-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
November 10th, 2025
----------------------------------------------------------------------------
Upcoming Debian 13 Update (13.2)
An update to Debian 13 is scheduled for Saturday, November 15th, 2025. As of
now it will include the following bug fixes. They can be found in "trixie-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "trixie-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
7zip New upstream release; security fixes
[CVE-2025-55188 CVE-2025-11002 CVE-2025-11001]
7zip-rar Add missing CRC table constructor
aide Fix bin/buildcache use by running it from a
root timer; various updates and fixes to
included rules
allow-html-temp New upstream version to support newer
Thunderbird releases
alsa-ucm-conf-asahi Install missing aop_audio UCM configs
ansible Update collections to maintain compatibility
with ansible-core 2.19
ansible-core New upstream stable release; fix regression
from 2.18 regarding handlers and play tags
asahi-scripts Fix the macaudio default profile check; add the
apple_nvmem_spmi module to the initramfs
explicitly; make update-m1n1 idempotent
base-files Update for the point release
brltty atSpi2: do not manage widgets without text
interface; avoid excessive verbose
bluetooth/usbfs messages
console-setup Update keyboard layouts dz(la) into dz(azerty-
oss) and Use ca/multix variant instead of
ca/multi; fix dz(azerty-oss/deadkeys) into dz,
which is what xkb really provides; fix dz
default layout
cups Fix operation of checkboxes in admin interface
curl Fix buffer over-read issue [CVE-2025-9086]; fix
cache poisoning issue [CVE-2025-10148]; fix
path traversal issue [CVE-2025-11563]; allow
--output to be overridden by --curl-options;
fix manpage example for "continue-at"; fix path
traversal issue [CVE-2025-11563]
debian-edu-config Use SERVER_ADDRESS in RewriteRule instead of
hard-coded 'www'; drop desktop bundle from
bundlesequence
dhcpcd Fix crash when an address is deleted; prevent
failure to start if wpasupplicant is not
installed
distro-info-data Update EoL date for bookworm; add Ubuntu 26.04
LTS "Resolute Raccoon"
dkms New upstream release; stop shipping
dkms.service, fixing dependency cycle with
cloud-init-network.service; emit a warning if
no kernel headers were found
dns-root-data Update root-anchors.p7s (the signature of root-
anchors.xml) with a new expiration date
dnsdist Fix denial of service issues [CVE-2025-8671
CVE-2025-30187]
dolphin-emu Fix interaction with RetroAchievements; fix
translations
dovecot Ensure default lmtpd auth_username_format
matches the global value; fix oauth
configuration parsing; lib-sieve: correctly
handle errors; clean up a few typos in
default/example configuration
eas4tbsync New upstream version to support newer
Thunderbird releases
emacs-libvterm Convert elpa-vterm to an architecture-dependent
package
eperl Avoid passing a truncated environment on Perl
5.40
epiphany-browser New upstream stable release; fix various
crashes; fix PKCS#11 login for invalid
cert/priv pairs
evolution New upstream stable release
evolution-data-server New upstream stable release; fix busy loop when
using the MH format mail archive
fangfrisch Update sanesecurity mirror as the old one will
stop working soon
fluidsynth Set the default samplerate to 48000 and buffer
size to 512 in the service configuration,
fixing high CPU usage and distorted sound
folder-account New upstream version to support newer
Thunderbird releases
fonts-noto-color-emoji New upstream release; add support for the
Unicode 17.0 standard
freeradius Fix compatibility with OpenSSL 3.5.2
gnome-maps New upstream stable release; fix a regression
when requesting route planning from
transitous.org; add address format for Austria
and Paraguay
gnome-session Fix default app priority for early adopters of
Papers and Showtime
google-recaptcha Fix PHP 8.4 deprecation warnings
ikvswitch Use Trixie as default distro for the setup;
don't fail on errors when taking down an IPMI
bridge; use a sysctl.d fragment file rather
than sysctl.conf
imagemagick Fix integer overflow issue [CVE-2025-62171]
input-remapper Add missing python3-psutil runtime dependency
irqbalance Enable write access to /proc/irq in service
definition
jdupes Fix detection of unique files
jing-trang Re-import upstream release, to remove
incorrectly included files
keepassxc-browser Fix compatibility with Chromium
kmail-account-wizard Enable automatic QML dependency detection
lemonldap-ng Fix command injection issue [CVE-2025-59518];
don't expose session-id into Ajax responses;
fix Google authentication
libcommons-lang-java Fix an uncontrolled recursion issue
[CVE-2025-48924]
libcommons-lang3-java Fix an uncontrolled recursion issue
[CVE-2025-48924]
libgpiod Remove unnecessary Breaks/Replaces on libgpiod2
and libgpiod2t64
libhtp Prevent memory leak with lzma [CVE-2025-53537]
libsmb2 Fix buffer overflow issue [CVE-2025-57632]
libssh Fix NULL pointer dereference issue
[CVE-2025-8114]; fix denial of service issue
[CVE-2025-8277]
libvirt Don't require TLS certificate to support
keyEncipherment; lower log level of a message,
avoiding journal spam when using the LXC
driver; fix a daemon crash that occurs when
probing capabilities for a QEMU binary that
doesn't report information about CPU models
libwebsockets Fix denial of service issue [CVE-2025-11677];
fix buffer overflow issue [CVE-2025-11678]
libxml2 Fix XPath recursion depth DoS [CVE-2025-9714]
libyaml-syck-perl Prevent memory corruption leading to 'str'
value being set on empty keys [CVE-2025-11683]
linux New upstream stable release
linux-signed-amd64 New upstream stable release
linux-signed-arm64 New upstream stable release
lnav Handle failure to set cregs from tmux
log4cxx Fix improper escaping issues [CVE-2025-54812
CVE-2025-54813]
logcheck Update ignore.d.paranoid/ssh and
ignore.d.server/ssh
lttng-modules Fix potential kernel crash with syscall tracing
luksmeta Fix data corruption issue with LUKS1
[CVE-2025-11568]
lxcfs Add missing dependency on fuse3
magit Ship missing magit-dired.el in elpa-magit
mailfromd Rebuild to fix symbol lookup error
mailmindr New upstream version to support newer
Thunderbird releases
malcontent Fix filtering snaps after snapd 2.72; fix
listing flatpaks in parental control UI; fix
memory leak when checking snaps
mapserver Fix SQL injection issue [CVE-2025-59431]
mc Fix accidental use of >&10 for subshells,
avoiding delays at startup
modsecurity-apache Fix security issues relating to response
Content-Type handling [CVE-2025-54571]
monitoring-plugins Fix check_users in combination with systemd;
fix check_mysql plugin with newer MySQL
versions
mpv Create missing folders for watch history
mrtg Fix duplicate WorkDir lines in cfgmaker output
nextcloud-desktop New upstream stable release
nfdump Honour subdir (-S) when usng dynamic FlowSource
(-M)
nova Fix information disclosure issue
nvidia-graphics-drivers- Fix use after free issue [CVE-2025-23280]; fix
tesla-535 privilege escalation issue [CVE-2025-23282];
fix denial of service issues [CVE-2025-23300
CVE-2025-23330 CVE-2025-23332 CVE-2025-23345]
onetbb Fix test failures on single-CPU test machines;
skip flaky mutex tests
open-vm-tools Disable (default) the execution of the SDMP
get-versions.sh script [CVE-2025-41244]
openssl New upstream stable release
openvpn-auth-radius Fix packet authentication
orphan-sysvinit-scripts Add haveged init script
patroni New upstream stable release
pdns-recursor Switch to dpkg/default.mk; drop CARGO_REGISTRY
override
phpmyadmin Address XSS vulnerability in bundled
jquery.validate.js [CVE-2025-3573]
poppler Fix infinite recursion [CVE-2025-50420]
postfix New upstream stable release; fix typo which
caused recreating cadir in chroot and excessive
logging
presage Prevent crash with apostrophes in completion
suggestions
privatebin-cli Fix connections to pastebins using GCM ciphers
proftpd-dfsg Don't remove /srv/ftp on package purge
puppet-module-puppetlabs- Fix list_users provider; setup all nodes as
rabbitmq disk nodes
puppet-module-tempest Fix autoloading of openstack provider
python-eventlet Fix HTTP request smuggling by discarding HTTP
chunk trailers [CVE-2025-58068]
qemu New upstream stable release; fix denial of
service issue [CVE-2024-8354]; fix wrong
emulation of FIBMAP and FIGETBSZ ioctls
qt6-base Fix high CPU usage of kwin_x11 on screen lock
(X11)
quicktext New upstream version to support newer
Thunderbird releases
rabbitmq-server Fix logging on sensitive data [CVE-2025-50200]
riseup-vpn Add dependency on qml6-module-qtcore
rocm-hipamd Fix linking for programs that include
<hip/hip_bf16.h> in more than one translation
unit; fix spelling error in roc-obj-ls manpage
rsyslog-doc Switch documentation theme to sphinx_rtd_theme
ruby-sys-filesystem Fix detection of 64-bit OS on s390x and alpha
rust-virtiofsd Add missing dependency on uidmap
sail Fix memory corruption issues [CVE-2025-32468
CVE-2025-35984 CVE-2025-46407 CVE-2025-50129
CVE-2025-52456 CVE-2025-52930 CVE-2025-53085
CVE-2025-53510]
samba New upstream stable release; fix uninitialized
memory disclosure issue [CVE-2025-9640],
command injection issue [CVE-2025-10230]
samhain Disable dnmalloc, preventing possible segfaults
spip Fix open redirect issue on AJAX login form
stardict Split plugin in to a new stardict-plugin-
network-dictionary package; disable
stardict_dictdotcn.so plugin
suricata Fix uncontrolled memory use issue
[CVE-2025-53538]; fix detection bypass issue
[CVE-2025-59147]
syslog-ng Disable writing of log statistics by default
systemd New upstream stable reelase; systemd-networkd:
fix segfault on VLAN-aware bridges; fix
DNS-over-TLS handling in systemd-resolved;
improve service and unit lifecycle stability;
handle TPM2 and pcrlock corner cases; update
documentation; refresh hwdb data; sync with
Linux UAPI headers
systemd-boot-efi-amd64- New upstream stable reelase; systemd-networkd:
signed fix segfault on VLAN-aware bridges; fix
DNS-over-TLS handling in systemd-resolved;
improve service and unit lifecycle stability;
handle TPM2 and pcrlock corner cases; update
documentation; refresh hwdb data; sync with
Linux UAPI headers
systemd-boot-efi-arm64- New upstream stable reelase; systemd-networkd:
signed fix segfault on VLAN-aware bridges; fix
DNS-over-TLS handling in systemd-resolved;
improve service and unit lifecycle stability;
handle TPM2 and pcrlock corner cases; update
documentation; refresh hwdb data; sync with
Linux UAPI headers
tango Fix broken communication between versions 9 and
10
tbsync New upstream version to support newer
Thunderbird releases
ublock-origin New upstream release; improve user experience
and add new filter capabilities
virt-manager Fix "Browse local" function
watcher Fix information disclosure issue
wike Set a User Agent, to ensure that the mobile
version of Wikipedia is used
wtmpdb Rotate and prune logs using logrotate; store
logs in system log directory
xnote New upstream version to support newer
Thunderbird releases
xorg Fix login failure with sessions using multiple
words in invocation
xssproxy Fix compatibility with Chromium and xdg-
desktop-portal-gtk
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
rust-profiling-procmacros Unused
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part