---------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 276-1 https://www.debian.org/ [email protected] Adam D. Barratt November 10th, 2025 ----------------------------------------------------------------------------
Upcoming Debian 13 Update (13.2) An update to Debian 13 is scheduled for Saturday, November 15th, 2025. As of now it will include the following bug fixes. They can be found in "trixie- proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "trixie-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "[email protected]" on your mails. The point release will also include a rebuild of debian-installer. Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: Package Reason ------- ------ 7zip New upstream release; security fixes [CVE-2025-55188 CVE-2025-11002 CVE-2025-11001] 7zip-rar Add missing CRC table constructor aide Fix bin/buildcache use by running it from a root timer; various updates and fixes to included rules allow-html-temp New upstream version to support newer Thunderbird releases alsa-ucm-conf-asahi Install missing aop_audio UCM configs ansible Update collections to maintain compatibility with ansible-core 2.19 ansible-core New upstream stable release; fix regression from 2.18 regarding handlers and play tags asahi-scripts Fix the macaudio default profile check; add the apple_nvmem_spmi module to the initramfs explicitly; make update-m1n1 idempotent base-files Update for the point release brltty atSpi2: do not manage widgets without text interface; avoid excessive verbose bluetooth/usbfs messages console-setup Update keyboard layouts dz(la) into dz(azerty- oss) and Use ca/multix variant instead of ca/multi; fix dz(azerty-oss/deadkeys) into dz, which is what xkb really provides; fix dz default layout cups Fix operation of checkboxes in admin interface curl Fix buffer over-read issue [CVE-2025-9086]; fix cache poisoning issue [CVE-2025-10148]; fix path traversal issue [CVE-2025-11563]; allow --output to be overridden by --curl-options; fix manpage example for "continue-at"; fix path traversal issue [CVE-2025-11563] debian-edu-config Use SERVER_ADDRESS in RewriteRule instead of hard-coded 'www'; drop desktop bundle from bundlesequence dhcpcd Fix crash when an address is deleted; prevent failure to start if wpasupplicant is not installed distro-info-data Update EoL date for bookworm; add Ubuntu 26.04 LTS "Resolute Raccoon" dkms New upstream release; stop shipping dkms.service, fixing dependency cycle with cloud-init-network.service; emit a warning if no kernel headers were found dns-root-data Update root-anchors.p7s (the signature of root- anchors.xml) with a new expiration date dnsdist Fix denial of service issues [CVE-2025-8671 CVE-2025-30187] dolphin-emu Fix interaction with RetroAchievements; fix translations dovecot Ensure default lmtpd auth_username_format matches the global value; fix oauth configuration parsing; lib-sieve: correctly handle errors; clean up a few typos in default/example configuration eas4tbsync New upstream version to support newer Thunderbird releases emacs-libvterm Convert elpa-vterm to an architecture-dependent package eperl Avoid passing a truncated environment on Perl 5.40 epiphany-browser New upstream stable release; fix various crashes; fix PKCS#11 login for invalid cert/priv pairs evolution New upstream stable release evolution-data-server New upstream stable release; fix busy loop when using the MH format mail archive fangfrisch Update sanesecurity mirror as the old one will stop working soon fluidsynth Set the default samplerate to 48000 and buffer size to 512 in the service configuration, fixing high CPU usage and distorted sound folder-account New upstream version to support newer Thunderbird releases fonts-noto-color-emoji New upstream release; add support for the Unicode 17.0 standard freeradius Fix compatibility with OpenSSL 3.5.2 gnome-maps New upstream stable release; fix a regression when requesting route planning from transitous.org; add address format for Austria and Paraguay gnome-session Fix default app priority for early adopters of Papers and Showtime google-recaptcha Fix PHP 8.4 deprecation warnings ikvswitch Use Trixie as default distro for the setup; don't fail on errors when taking down an IPMI bridge; use a sysctl.d fragment file rather than sysctl.conf imagemagick Fix integer overflow issue [CVE-2025-62171] input-remapper Add missing python3-psutil runtime dependency irqbalance Enable write access to /proc/irq in service definition jdupes Fix detection of unique files jing-trang Re-import upstream release, to remove incorrectly included files keepassxc-browser Fix compatibility with Chromium kmail-account-wizard Enable automatic QML dependency detection lemonldap-ng Fix command injection issue [CVE-2025-59518]; don't expose session-id into Ajax responses; fix Google authentication libcommons-lang-java Fix an uncontrolled recursion issue [CVE-2025-48924] libcommons-lang3-java Fix an uncontrolled recursion issue [CVE-2025-48924] libgpiod Remove unnecessary Breaks/Replaces on libgpiod2 and libgpiod2t64 libhtp Prevent memory leak with lzma [CVE-2025-53537] libsmb2 Fix buffer overflow issue [CVE-2025-57632] libssh Fix NULL pointer dereference issue [CVE-2025-8114]; fix denial of service issue [CVE-2025-8277] libvirt Don't require TLS certificate to support keyEncipherment; lower log level of a message, avoiding journal spam when using the LXC driver; fix a daemon crash that occurs when probing capabilities for a QEMU binary that doesn't report information about CPU models libwebsockets Fix denial of service issue [CVE-2025-11677]; fix buffer overflow issue [CVE-2025-11678] libxml2 Fix XPath recursion depth DoS [CVE-2025-9714] libyaml-syck-perl Prevent memory corruption leading to 'str' value being set on empty keys [CVE-2025-11683] linux New upstream stable release linux-signed-amd64 New upstream stable release linux-signed-arm64 New upstream stable release lnav Handle failure to set cregs from tmux log4cxx Fix improper escaping issues [CVE-2025-54812 CVE-2025-54813] logcheck Update ignore.d.paranoid/ssh and ignore.d.server/ssh lttng-modules Fix potential kernel crash with syscall tracing luksmeta Fix data corruption issue with LUKS1 [CVE-2025-11568] lxcfs Add missing dependency on fuse3 magit Ship missing magit-dired.el in elpa-magit mailfromd Rebuild to fix symbol lookup error mailmindr New upstream version to support newer Thunderbird releases malcontent Fix filtering snaps after snapd 2.72; fix listing flatpaks in parental control UI; fix memory leak when checking snaps mapserver Fix SQL injection issue [CVE-2025-59431] mc Fix accidental use of >&10 for subshells, avoiding delays at startup modsecurity-apache Fix security issues relating to response Content-Type handling [CVE-2025-54571] monitoring-plugins Fix check_users in combination with systemd; fix check_mysql plugin with newer MySQL versions mpv Create missing folders for watch history mrtg Fix duplicate WorkDir lines in cfgmaker output nextcloud-desktop New upstream stable release nfdump Honour subdir (-S) when usng dynamic FlowSource (-M) nova Fix information disclosure issue nvidia-graphics-drivers- Fix use after free issue [CVE-2025-23280]; fix tesla-535 privilege escalation issue [CVE-2025-23282]; fix denial of service issues [CVE-2025-23300 CVE-2025-23330 CVE-2025-23332 CVE-2025-23345] onetbb Fix test failures on single-CPU test machines; skip flaky mutex tests open-vm-tools Disable (default) the execution of the SDMP get-versions.sh script [CVE-2025-41244] openssl New upstream stable release openvpn-auth-radius Fix packet authentication orphan-sysvinit-scripts Add haveged init script patroni New upstream stable release pdns-recursor Switch to dpkg/default.mk; drop CARGO_REGISTRY override phpmyadmin Address XSS vulnerability in bundled jquery.validate.js [CVE-2025-3573] poppler Fix infinite recursion [CVE-2025-50420] postfix New upstream stable release; fix typo which caused recreating cadir in chroot and excessive logging presage Prevent crash with apostrophes in completion suggestions privatebin-cli Fix connections to pastebins using GCM ciphers proftpd-dfsg Don't remove /srv/ftp on package purge puppet-module-puppetlabs- Fix list_users provider; setup all nodes as rabbitmq disk nodes puppet-module-tempest Fix autoloading of openstack provider python-eventlet Fix HTTP request smuggling by discarding HTTP chunk trailers [CVE-2025-58068] qemu New upstream stable release; fix denial of service issue [CVE-2024-8354]; fix wrong emulation of FIBMAP and FIGETBSZ ioctls qt6-base Fix high CPU usage of kwin_x11 on screen lock (X11) quicktext New upstream version to support newer Thunderbird releases rabbitmq-server Fix logging on sensitive data [CVE-2025-50200] riseup-vpn Add dependency on qml6-module-qtcore rocm-hipamd Fix linking for programs that include <hip/hip_bf16.h> in more than one translation unit; fix spelling error in roc-obj-ls manpage rsyslog-doc Switch documentation theme to sphinx_rtd_theme ruby-sys-filesystem Fix detection of 64-bit OS on s390x and alpha rust-virtiofsd Add missing dependency on uidmap sail Fix memory corruption issues [CVE-2025-32468 CVE-2025-35984 CVE-2025-46407 CVE-2025-50129 CVE-2025-52456 CVE-2025-52930 CVE-2025-53085 CVE-2025-53510] samba New upstream stable release; fix uninitialized memory disclosure issue [CVE-2025-9640], command injection issue [CVE-2025-10230] samhain Disable dnmalloc, preventing possible segfaults spip Fix open redirect issue on AJAX login form stardict Split plugin in to a new stardict-plugin- network-dictionary package; disable stardict_dictdotcn.so plugin suricata Fix uncontrolled memory use issue [CVE-2025-53538]; fix detection bypass issue [CVE-2025-59147] syslog-ng Disable writing of log statistics by default systemd New upstream stable reelase; systemd-networkd: fix segfault on VLAN-aware bridges; fix DNS-over-TLS handling in systemd-resolved; improve service and unit lifecycle stability; handle TPM2 and pcrlock corner cases; update documentation; refresh hwdb data; sync with Linux UAPI headers systemd-boot-efi-amd64- New upstream stable reelase; systemd-networkd: signed fix segfault on VLAN-aware bridges; fix DNS-over-TLS handling in systemd-resolved; improve service and unit lifecycle stability; handle TPM2 and pcrlock corner cases; update documentation; refresh hwdb data; sync with Linux UAPI headers systemd-boot-efi-arm64- New upstream stable reelase; systemd-networkd: signed fix segfault on VLAN-aware bridges; fix DNS-over-TLS handling in systemd-resolved; improve service and unit lifecycle stability; handle TPM2 and pcrlock corner cases; update documentation; refresh hwdb data; sync with Linux UAPI headers tango Fix broken communication between versions 9 and 10 tbsync New upstream version to support newer Thunderbird releases ublock-origin New upstream release; improve user experience and add new filter capabilities virt-manager Fix "Browse local" function watcher Fix information disclosure issue wike Set a User Agent, to ensure that the mobile version of Wikipedia is used wtmpdb Rotate and prune logs using logrotate; store logs in system log directory xnote New upstream version to support newer Thunderbird releases xorg Fix login failure with sessions using multiple words in invocation xssproxy Fix compatibility with Chromium and xdg- desktop-portal-gtk A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/stable.html> Removed packages ---------------- The following packages will be removed due to circumstances beyond our control: Package Reason ------- ------ rust-profiling-procmacros Unused If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "[email protected]".
signature.asc
Description: This is a digitally signed message part
