----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 277-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
January 5th, 2026
----------------------------------------------------------------------------
Upcoming Debian 13 Update (13.3)
An update to Debian 13 is scheduled for Saturday, January 10th, 2026. As of
now it will include the following bug fixes. They can be found in "trixie-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "trixie-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
ansible New upstream stable release
apache2 New upstream stable release; fix integer
overflow issue [CVE-2025-55753]; don't pass
querystring to #exec directives
[CVE-2025-58098]; fix improper parsing of
environment variables [CVE-2025-65082]; fix
mod_userdir+suexec bypass issue
[CVE-2025-66200]
at-spi2-core Ensure xkb group is taken into account for key
events
awffull Fix systemd timer invocation to avoid premature
cron-script exit
base-files Update for the point release
bash Rebuild with updated glibc
bglibs Rebuild with updated glibc
busybox Rebuild with updated glibc
calibre Fix FB2 embedded binary handling in conversion
plugin [CVE-2025-64486]
catatonit Rebuild with updated glibc
cdebootstrap Rebuild with updated glibc
chkrootkit Rebuild with updated glibc
cloud-init Ensure deb822 sources.list template renders
correctly
composer Fix ANSI sequence injection [CVE-2025-67746]
condor Rebuild with updated glibc
cups-filters Fix TIFF parser bounds/validation issues
[CVE-2025-57812]; clamp oversized PDF MediaBox-
derived page size in pdftoraster
[CVE-2025-64503]; avoid rastertopclx infinite
loop and heap overflow on crafted raster input
[CVE-2025-64524]
dar Rebuild with updated curl, glibc, openssl
debian-security-support Mark hdf5 and zabbix as receiving limited
support; mark wpewebkit as unsupported
debos Move systemd-resolved from Recommends to
Depends
dgit Git-debrebase: use different directory for
nested workareas
dhcpcd Re-enable ntp_servers option by default
diffoscope Fix tests when ukify is newer
distribution-gpg-keys Update included keys
distrobuilder Rebuild with updated containerd, incus
docker.io Rebuild with updated containerd, glibc
dpdk New upstream stable release
e2fsprogs Rebuild wth updated glibc
edk2 Fix timing side-channel issue in ECDSA
signature computation [CVE-2024-13176]; fix
out-of-bounds memory access issue
[CVE-2024-38805]; fix code execution issue
[CVE-2025-3770]
exfatprogs Ensure mkfs.exfat defaults to 512-byte sectors
for Windows compatibility
extrepo-data Update repository information; fix handling for
future Debian releases
flatpak New upstream stable release
fpdf2 Fix use of variable fonts
freedombox distupgrade: Handle comments in sources.list
file; update trixie's release date; backups:
Set proper permissions for backups-data
directory [CVE-2025-68462]
freeradius Fix TLS verification segfault when certificate
chains include multiple intermediate
certificates
glib2.0 Prevent various integer overflows
[CVE-2025-13601 CVE-2025-14087 CVE-2025-14512]
glibc Fix a double lock init issue after fork(); fix
SYSCALL_CANCEL for return values larger than
INT_MAX; fix crash in ifunc functions on arm64
when hardening with -ftrivial-auto-var-
init=zero; fix _dl_find_object when ld.so has
LOAD segment gaps, causing wrong backtrace
unwinding; optimize inverse trig function, SVE
exp, hyperbolic, and log1p functions on arm64
gnome-shell New upstream bugfix release
gnupg2 Avoid potential downgrade to SHA1 in 3rd party
key signatures; error out on unverified output
for non-detached signatures; fix possible
memory corruption in the armor parser
[CVE-2025-68973]; do not use a default when
asking for another output filename
gnutls28 Fix PKCS#11 token label bounds in
gnutls_pkcs11_token_init [CVE-2025-9820];
initialise PKCS#11 modules in thread-safe mode
with fallback
golang-github-awslabs- Rebuild with updated containerd
soci-snapshotter
golang-github-containerd- Rebuild with updated containerd
imgcrypt
golang-github-containerd- Rebuild with updated containerd
nydus-snapshotter
golang-github-containerd- Rebuild with updated containerd
stargz-snapshotter
golang-github-containers- Rebuild with updated containerd
buildah
golang-github-openshift- Rebuild with updated containerd
imagebuilder
imagemagick Fix denial of service issues [CVE-2025-62594
CVE-2025-68618]; fix use-after-free issue
[CVE-2025-65955]; fix integer overflow issues
[CVE-2025-66628 CVE-2025-69204]; fix infinite
loop issue [CVE-2025-68950]
incus Fix AppArmor profile generation for nested
containers
integrit Rebuild with updated glibc
intel-microcode Update Intel processor microcode to 20251111
iperf3 Fix authentication RSA encryption buffer length
initialisation for OpenSSL 3.5.3+; avoid build
failure with newer OpenSSL
kleopatra Fix failure to start with a file argument on
GNOME
libcap2 Rebuild with updated glibc
libcoap3 Fix configuration file parsing issue
[CVE-2025-59391]; fix NULL pointer dereference
issues [CVE-2025-65493 CVE-2025-65494
CVE-2025-65496 CVE-2025-65497 CVE-2025-65498
CVE-2025-65500 CVE-2025-65501]; fix integer
signedness issue [CVE-2025-65495]; fix array
index error issue [CVE-2025-65499]
libcupsfilters Fix TIFF parser bounds/validation issues
[CVE-2025-57812]; clamp oversized PDF MediaBox-
derived page size in pdftoraster
[CVE-2025-64503]
libphp-adodb Fix SQL injection issue in sqlite(3) drivers
[CVE-2025-54119]
libreoffice Set Bulgaria locale default currency to EUR
libvirt Perform ACL checks earlier, preventing
malicious users from potentially being able to
crash the daemon [CVE-2025-12748]; ensure that
newly-created snapshots are not world-readable
[CVE-2025-13193]; apply the detect_zeroes
settings across all layers of the backing chain
instead of just the topmost one
linux New upstream stable release
linux-signed-amd64 New upstream stable release
linux-signed-arm64 New upstream stable release
lua-wsapi Fix Lua 5.1 support
lxc Add lxc-net dependency to sysvinit script; stop
printing misleading errors in enter_net_ns();
fix generation of
apparmor.d/abstractions/lxc/container-base; fix
restarting unprivileged containers
lxd Fix broken idmapping with kernel 6.9+; tighten
storage pool volume permissions
[CVE-2025-64507]
matlab-support Avoid renaming MATLAB vendored Vulkan/FreeType
libraries
mbedtls New upstream stable release; fix timing issues
[CVE-2025-54764 CVE-2025-59438]
mirrorbits Fix fallback redirects when Redis/file metadata
is unavailable; normalise fallback mirror URLs
to avoid malformed redirects
mongo-c-driver Avoid invalid memory reads [CVE-2025-12119]
mutter New upstream bugfix release
node-nodemailer Fix addressparser recipient parsing for quoted
nested addresses [CVE-2025-13033]
openconnect Respect path in AnyConnect/OpenConnect XML form
handling; fix failure to build with MinGW32/64;
use RFC9266 'tls-exporter' channel bindings for
Cisco STRAP with TLSv1.3
pgbouncer Fix arbitary SQL execution issue
[CVE-2025-12819]
podman Rebuild with updated containerd
postgresql-17 New upstream stable release; check for CREATE
privileges on the schema in CREATE STATISTICS
[CVE-2025-12817]; avoid integer overflow in
allocation-size calculations within libpq
[CVE-2025-12818]
pylint-django Fix use with new astroid
qemu New upstream stable release; fix use after free
issue [CVE-2025-11234]; fix buffer overflow
issue [CVE-2025-12464]
qiv Fix Wayland startup crash by forcing X11 GDK
backend
r-bioc-beachmat Fix test that depends on the "beachmat.hdf5" R
package, which is not yet in Debian
r-cran-gh Fix exposure of request headers in returned
response objects [CVE-2025-54956]; ensure
pagination passes authentication context
explicitly; update tests and documentation
reform-tools Fix building lpc with Linux >= 6.17
rlottie Fix outlying coordinate rejection in FreeType
rasteriser [CVE-2025-0634 CVE-2025-53074
CVE-2025-53075]
rsync Fix out-of-bounds read via negative array index
in sender file list handling [CVE-2025-10158]
rust-repro-env Rebuild with updated rust-sequoia-openpgp
rust-ripasso-cursive Rebuild with updated rust-sequoia-openpgp
rust-sequoia-chameleon- Rebuild with updated rust-sequoia-openpgp
gnupg
rust-sequoia-git Rebuild with updated rust-sequoia-openpgp
rust-sequoia-keystore- Rebuild with updated rust-sequoia-openpgp
server
rust-sequoia-octopus- Rebuild with updated rust-sequoia-openpgp
librnp
rust-sequoia-openpgp Fix buffer underflow in aes_key_unwrap
[CVE-2025-67897]
rust-sequoia-sop Rebuild with updated rust-sequoia-openpgp
rust-sequoia-sq Rebuild with updated rust-sequoia-openpgp
rust-sequoia-sqv Rebuild with updated rust-sequoia-openpgp
sash Rebuild with updated glibc
sbuild Explicitly select the sbuild-build-depends-
main-dummy package architecture; preserve
TMPDIR when running autopkgtest;
lib/Sbuild/Build.pm: preserve TMPDIR for
piuparts; obey $TMPDIR for autopkgtest dsc
mkdtemp
snapd Rebuild with updated glibc
sogo Fix cross-site scripting issues [CVE-2025-63498
CVE-2025-63499]
suricata Fix verdict logging bounds checks
[CVE-2025-64330]; fix various logging stack
overflows [CVE-2025-64331 CVE-2025-64332
CVE-2025-64333 CVE-2025-64344]
survex Fix the width of the "find stations" search box
to make it actually usable again
swupdate Fix suricatta reboot-mode signalling via
progress interface
symfony Fix PATH_INFO parsing [CVE-2025-64500]; drop
failing Finder testsuite data entries
tini Rebuild with updated glibc
tripwire Rebuild with updated glibc
tsocks Rebuild with updated glibc
tzsetup Fix timezone for Argentina and Ukraine
user-mode-linux Rebuild with Linux 6.12.63-1
yorick-gy Fix GIR module version loading for Gtk/Gdk;
switch to multiarch-friendly
libgirepository-1.0-dev build-dependency;
incorporate GCC-14/15 build fixes; update watch
file and metadata
zsh Rebuild with updated glibc, pcre
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part