----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 279-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
March 10th, 2026
----------------------------------------------------------------------------
Upcoming Debian 13 Update (13.4)
An update to Debian 13 is scheduled for Saturday, March 14th, 2026. As of
now it will include the following bug fixes. They can be found in "trixie-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "trixie-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
akonadi Show all folders in kmail
apache2 Fix HTTP/2 regression
arduino-core-avr New upstream stable release; fix buffer
overflow issue [CVE-2025-69209]
asahi-scripts Fix SD card reader autosuspend
augeas Fix null pointer dereference issue
[CVE-2025-2588]
base-files Update for the point release
bash Rebuild with updated glibc
bglibs Rebuild with updated glibc
bird2 Use Restart=on-abnormal instead of on-abort;
RAdv: Fix flags for deprecated prefixes; BMP:
Fix crash when exporting a route with non-bgp
attributes; ASPA check fix for AS_SET
brltty Fix taking the VT number from the chosen
session
busybox Rebuild with updated glibc
capstone New upstream stable release; fix buffer
overflow issue [CVE-2025-67873]; fix buffer
underflow and overflow issue [CVE-2025-68114]
catatonit Rebuild with updated glibc
cdebootstrap Rebuild with updated glibc
chkrootkit Rebuild with updated glibc
chrony Open refclock writeable to maintain
compatibility with newer kernels
civetweb Fix denial of service issue [CVE-2025-9648];
fix buffer overflow issue [CVE-2025-55763]
ckb-next Fix init script installation and
initialisation; ensure cryptographic
verification of firmware updates
clatd Fix systemd unit installation; correct
NetworkManager dispatcher install path; provide
example configuration; ensure obsolete
dispatcher script is removed on upgrade
condor Rebuild with updated glibc
dar Rebuild with updated glibc, openssl
debian-ports-archive- Add "Debian Ports Archive Automatic Signing Key
keyring (2027)"; move 2025 signing key to the removed
keys keyring
debsig-verify Rebuild with updated dpkg
debvm Only use the console in nographics mode; use
correct variable name; autologin: prefer
credentials to monkey patching unit; customize-
resolved.sh: explicitly install systemd-
resolved
deets Rebuild with updated dpkg
direwolf Fix stack buffer overflow [CVE-2025-34457]
distribution-gpg-keys Update included keys
distrobuilder Rebuild with updated incus
docker.io Rebuild with updated glibc
dovecot Fix possible crash in ldap userdb; fix crash in
trash plugin; fix segfault when group ACLs are
present but the user has no groups
dpkg dpkg-query: Fix segfault with empty -S
argument; Dpkg::OpenPGP: Do not run verify with
no keyrings; Dpkg::Shlibs::Objdump::Object: Add
support for "Version References" symbols;
Dpkg::OpenPGP::Backend::GnuPG: Add missing
Dpkg::Gettext import; fix denial of service
issue [CVE-2026-2219]
e2fsprogs Rebuild with updated glibc
ejabberd Remove old apparmor profile file
ejabberd-contrib Rebuild with updated ejabberd
erlang Fix excessive resource use issues
[CVE-2025-48038 CVE-2025-48039 CVE-2025-48040
CVE-2025-48041]; fix traffic redirection issue
[CVE-2016-1000107]
ffmpegfs Fix incomplete listing of files in output
directory
flatpak New upstream stable release
fluidsynth Fix null pointer dereference issue
[CVE-2025-56225]
fonttools Fix arbitrary file write issue [CVE-2025-66034]
glibc Update from upstream stable branch; fix heap
corruption issue [CVE-2026-0861]; fix stack
contents leak issue [CVE-2026-0915]; fix
uninitialized memory use issue
[CVE-2025-15281]; switch currency symbol for
the bg_BG locale to euro; fix a null pointer
dereference in symbol lookup when the symbol
version hash is zero; fix various optimized
functions
gnome-shell Revert inadvertently backported change that can
cause the Shell UI to not appear on some
systems
gnu-efi Fix build of UEFI binaries for armhf
gnuais Fix displaying the map in gnuaisgui
gnupg2 Rebuild with updated glibc
gpsd Fix out-of-bounds write issue [CVE-2025-67268];
fix denial of service issue [CVE-2025-67269]
grub-efi-amd64-signed Fix ZFS root identification
grub-efi-arm64-signed Fix ZFS root identification
grub-efi-ia32-signed Fix ZFS root identification
grub2 Fix ZFS root identification
ifupdown Fix IPv6 DAD handling in ifup; correct dhclient
invocation ordering for IPv6; restore correct
executable path detection in ifup scripts
integrit Rebuild with updated glibc
jaraco.context Prevent path traversal [CVE-2026-23949]
libcap2 Rebuild with updated glibc
libguestfs Add dependency on isc-dhcp-client
libpng1.6 Fix heap buffer overflow issues [CVE-2026-22801
CVE-2026-22695]
libsndfile Fix memory leak issue [CVE-2025-56226]
linux-base Use compatible hook dir names for headers
packages
lxc Fix data corruption during heavy IO on PTS;
update lxc-default-with-nesting apparmor
profile; rebuild with updated glibc
mariadb New upstream stable release; fix arbitrary code
execution issue [CVE-2025-13699]; fix denial of
service issue [CVE-CVE-2026-21968]; use
tmpfiles.d to generate runtime directory; fix
upgrades from version 10.4 when encryption is
enabled; fix innodb_linux_aio support
mpg123 Do not modify raw ID3v2 data while parsing
node-proxy-agents Fix path traversal issue [CVE-2026-27699]
open-iscsi Fix discovery of "static" nodes
openssh Fix mistracking of MaxStartups process exits in
some situations; fix possible code execution
issues [CVE-2025-61984 CVE-2025-61985]
openssl New upstream stable release
passt Increase AppArmor ABI version to 4.0 to enable
user namespace creation
pcsx2 Fix code execution issue [CVE-2025-49589]
pdudaemon Add missing dependency on setuputils
phpunit Fix unsafe deserialization issue
[CVE-2026-24765]
plastimatch Repack to exclude non-free source files
policyd-rate-limit Fix operation with Python >= 3.12
postgresql-17 New upstream stable release; fix buffer overrun
issue [CVE-2026-2006]
python-cryptography Fix missing validation in EC public key
creation [CVE-2026-26007]
python-filelock Fix TOCTOU symlink handling vulnerability in
lock file creation [CVE-2025-68146]
python-multipart Fix arbitrary file write issue [CVE-2026-24486]
python-os-ken Accept empty "OXM" fields
python-pyspnego Fix deprecation warnings
qemu New upstream stable release; fix denial of
service issues [CVE-2025-14876 CVE-2026-0665];
rebuild with updated capstone, glibc
qtbase-opensource-src Fix data races; X11: set fallback logical DPI
to 96, fixing incorrect calculation
reprepro Fix incorrect tracking data when copying
packages
requests Fix credential leak issue [CVE-2024-47081]
riseup-vpn Support additional polkit providers
runit-services slim: start in foreground with -n; dbus-
dep.fixer: correctly test for existing services
definitions, only start dbus services, even
with the sysv override
rust-ntp-proto Fix excessive load issue [CVE-2026-26076]
rust-ntpd Rebuild with rust-ntp-proto 1.4.0-4+deb13u1 to
fix CVE-2026-26076
rust-tealdeer Update archive URL
samba New upstream stable release
sash Rebuild with updated glibc
scilab Fix build failure
snapd Rebuild with updated glibc
sqlite3 Prevent integer overflow in FTSS extension
[CVE-2025-7709]; add missing build dependency
on pkgconf
starlette Fix denial of service issue [CVE-2025-62727]
sudo Only enable Intel CET on amd64; fix regression
with sudoers.d filenames containing colons
suricata Fix denial of service issues [CVE-2026-22258
CVE-2026-22259 CVE-2026-22261]; fix stack
overflow issue [CVE-2026-22262]; fix heap
overflow issue [CVE-2026-22264]
tayga Fix EAM mapping for host addresses
tini Rebuild with updated glibc
torsocks Use correct environment variable; explicitly
trigger ldconfig trigger
tripwire Rebuild with updated glibc
tsocks Rebuild with updated glibc
tzdata New upstream release; Moldova has used EU
transition times since 2022
uglifyjs Fix test failure
units Update URLs to packetizer.com
user-mode-linux Rebuild with updated linux
wget2 Fix file overwrite issue with metalink
[CVE-2025-69194]; fix remote buffer overflow
[CVE-2025-69195]
wireless-regdb New upstream stable release; update regulatory
information for several countries
wireshark New upstream stable release; fix USB HID
dissector memory exhaustion [CVE-2026-3201];
fix RF4CE Profile dissector crash
[CVE-2026-3203]
xen New upstream stable release; fix buffer overrun
issue [CVE-2025-58150]; fix incomplete vCPU
isolation issue [CVE-2026-23553]
zabbix New upstream stable release; fix data leakage
issues [CVE-2025-27231 CVE-2025-27233
CVE-2025-27236 CVE-2025-27238 CVE-2025-49641];
fix denial of service issue [CVE-2025-49643]
zookeeper Fix build failure by skipping some flaky tests
zsh Rebuild with updated glibc
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part