---------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 277-1 https://www.debian.org/ [email protected] Adam D. Barratt January 5th, 2026 ----------------------------------------------------------------------------
Upcoming Debian 13 Update (13.3) An update to Debian 13 is scheduled for Saturday, January 10th, 2026. As of now it will include the following bug fixes. They can be found in "trixie- proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "trixie-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "[email protected]" on your mails. The point release will also include a rebuild of debian-installer. Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: Package Reason ------- ------ ansible New upstream stable release apache2 New upstream stable release; fix integer overflow issue [CVE-2025-55753]; don't pass querystring to #exec directives [CVE-2025-58098]; fix improper parsing of environment variables [CVE-2025-65082]; fix mod_userdir+suexec bypass issue [CVE-2025-66200] at-spi2-core Ensure xkb group is taken into account for key events awffull Fix systemd timer invocation to avoid premature cron-script exit base-files Update for the point release bash Rebuild with updated glibc bglibs Rebuild with updated glibc busybox Rebuild with updated glibc calibre Fix FB2 embedded binary handling in conversion plugin [CVE-2025-64486] catatonit Rebuild with updated glibc cdebootstrap Rebuild with updated glibc chkrootkit Rebuild with updated glibc cloud-init Ensure deb822 sources.list template renders correctly composer Fix ANSI sequence injection [CVE-2025-67746] condor Rebuild with updated glibc cups-filters Fix TIFF parser bounds/validation issues [CVE-2025-57812]; clamp oversized PDF MediaBox- derived page size in pdftoraster [CVE-2025-64503]; avoid rastertopclx infinite loop and heap overflow on crafted raster input [CVE-2025-64524] dar Rebuild with updated curl, glibc, openssl debian-security-support Mark hdf5 and zabbix as receiving limited support; mark wpewebkit as unsupported debos Move systemd-resolved from Recommends to Depends dgit Git-debrebase: use different directory for nested workareas dhcpcd Re-enable ntp_servers option by default diffoscope Fix tests when ukify is newer distribution-gpg-keys Update included keys distrobuilder Rebuild with updated containerd, incus docker.io Rebuild with updated containerd, glibc dpdk New upstream stable release e2fsprogs Rebuild wth updated glibc edk2 Fix timing side-channel issue in ECDSA signature computation [CVE-2024-13176]; fix out-of-bounds memory access issue [CVE-2024-38805]; fix code execution issue [CVE-2025-3770] exfatprogs Ensure mkfs.exfat defaults to 512-byte sectors for Windows compatibility extrepo-data Update repository information; fix handling for future Debian releases flatpak New upstream stable release fpdf2 Fix use of variable fonts freedombox distupgrade: Handle comments in sources.list file; update trixie's release date; backups: Set proper permissions for backups-data directory [CVE-2025-68462] freeradius Fix TLS verification segfault when certificate chains include multiple intermediate certificates glib2.0 Prevent various integer overflows [CVE-2025-13601 CVE-2025-14087 CVE-2025-14512] glibc Fix a double lock init issue after fork(); fix SYSCALL_CANCEL for return values larger than INT_MAX; fix crash in ifunc functions on arm64 when hardening with -ftrivial-auto-var- init=zero; fix _dl_find_object when ld.so has LOAD segment gaps, causing wrong backtrace unwinding; optimize inverse trig function, SVE exp, hyperbolic, and log1p functions on arm64 gnome-shell New upstream bugfix release gnupg2 Avoid potential downgrade to SHA1 in 3rd party key signatures; error out on unverified output for non-detached signatures; fix possible memory corruption in the armor parser [CVE-2025-68973]; do not use a default when asking for another output filename gnutls28 Fix PKCS#11 token label bounds in gnutls_pkcs11_token_init [CVE-2025-9820]; initialise PKCS#11 modules in thread-safe mode with fallback golang-github-awslabs- Rebuild with updated containerd soci-snapshotter golang-github-containerd- Rebuild with updated containerd imgcrypt golang-github-containerd- Rebuild with updated containerd nydus-snapshotter golang-github-containerd- Rebuild with updated containerd stargz-snapshotter golang-github-containers- Rebuild with updated containerd buildah golang-github-openshift- Rebuild with updated containerd imagebuilder imagemagick Fix denial of service issues [CVE-2025-62594 CVE-2025-68618]; fix use-after-free issue [CVE-2025-65955]; fix integer overflow issues [CVE-2025-66628 CVE-2025-69204]; fix infinite loop issue [CVE-2025-68950] incus Fix AppArmor profile generation for nested containers integrit Rebuild with updated glibc intel-microcode Update Intel processor microcode to 20251111 iperf3 Fix authentication RSA encryption buffer length initialisation for OpenSSL 3.5.3+; avoid build failure with newer OpenSSL kleopatra Fix failure to start with a file argument on GNOME libcap2 Rebuild with updated glibc libcoap3 Fix configuration file parsing issue [CVE-2025-59391]; fix NULL pointer dereference issues [CVE-2025-65493 CVE-2025-65494 CVE-2025-65496 CVE-2025-65497 CVE-2025-65498 CVE-2025-65500 CVE-2025-65501]; fix integer signedness issue [CVE-2025-65495]; fix array index error issue [CVE-2025-65499] libcupsfilters Fix TIFF parser bounds/validation issues [CVE-2025-57812]; clamp oversized PDF MediaBox- derived page size in pdftoraster [CVE-2025-64503] libphp-adodb Fix SQL injection issue in sqlite(3) drivers [CVE-2025-54119] libreoffice Set Bulgaria locale default currency to EUR libvirt Perform ACL checks earlier, preventing malicious users from potentially being able to crash the daemon [CVE-2025-12748]; ensure that newly-created snapshots are not world-readable [CVE-2025-13193]; apply the detect_zeroes settings across all layers of the backing chain instead of just the topmost one linux New upstream stable release linux-signed-amd64 New upstream stable release linux-signed-arm64 New upstream stable release lua-wsapi Fix Lua 5.1 support lxc Add lxc-net dependency to sysvinit script; stop printing misleading errors in enter_net_ns(); fix generation of apparmor.d/abstractions/lxc/container-base; fix restarting unprivileged containers lxd Fix broken idmapping with kernel 6.9+; tighten storage pool volume permissions [CVE-2025-64507] matlab-support Avoid renaming MATLAB vendored Vulkan/FreeType libraries mbedtls New upstream stable release; fix timing issues [CVE-2025-54764 CVE-2025-59438] mirrorbits Fix fallback redirects when Redis/file metadata is unavailable; normalise fallback mirror URLs to avoid malformed redirects mongo-c-driver Avoid invalid memory reads [CVE-2025-12119] mutter New upstream bugfix release node-nodemailer Fix addressparser recipient parsing for quoted nested addresses [CVE-2025-13033] openconnect Respect path in AnyConnect/OpenConnect XML form handling; fix failure to build with MinGW32/64; use RFC9266 'tls-exporter' channel bindings for Cisco STRAP with TLSv1.3 pgbouncer Fix arbitary SQL execution issue [CVE-2025-12819] podman Rebuild with updated containerd postgresql-17 New upstream stable release; check for CREATE privileges on the schema in CREATE STATISTICS [CVE-2025-12817]; avoid integer overflow in allocation-size calculations within libpq [CVE-2025-12818] pylint-django Fix use with new astroid qemu New upstream stable release; fix use after free issue [CVE-2025-11234]; fix buffer overflow issue [CVE-2025-12464] qiv Fix Wayland startup crash by forcing X11 GDK backend r-bioc-beachmat Fix test that depends on the "beachmat.hdf5" R package, which is not yet in Debian r-cran-gh Fix exposure of request headers in returned response objects [CVE-2025-54956]; ensure pagination passes authentication context explicitly; update tests and documentation reform-tools Fix building lpc with Linux >= 6.17 rlottie Fix outlying coordinate rejection in FreeType rasteriser [CVE-2025-0634 CVE-2025-53074 CVE-2025-53075] rsync Fix out-of-bounds read via negative array index in sender file list handling [CVE-2025-10158] rust-repro-env Rebuild with updated rust-sequoia-openpgp rust-ripasso-cursive Rebuild with updated rust-sequoia-openpgp rust-sequoia-chameleon- Rebuild with updated rust-sequoia-openpgp gnupg rust-sequoia-git Rebuild with updated rust-sequoia-openpgp rust-sequoia-keystore- Rebuild with updated rust-sequoia-openpgp server rust-sequoia-octopus- Rebuild with updated rust-sequoia-openpgp librnp rust-sequoia-openpgp Fix buffer underflow in aes_key_unwrap [CVE-2025-67897] rust-sequoia-sop Rebuild with updated rust-sequoia-openpgp rust-sequoia-sq Rebuild with updated rust-sequoia-openpgp rust-sequoia-sqv Rebuild with updated rust-sequoia-openpgp sash Rebuild with updated glibc sbuild Explicitly select the sbuild-build-depends- main-dummy package architecture; preserve TMPDIR when running autopkgtest; lib/Sbuild/Build.pm: preserve TMPDIR for piuparts; obey $TMPDIR for autopkgtest dsc mkdtemp snapd Rebuild with updated glibc sogo Fix cross-site scripting issues [CVE-2025-63498 CVE-2025-63499] suricata Fix verdict logging bounds checks [CVE-2025-64330]; fix various logging stack overflows [CVE-2025-64331 CVE-2025-64332 CVE-2025-64333 CVE-2025-64344] survex Fix the width of the "find stations" search box to make it actually usable again swupdate Fix suricatta reboot-mode signalling via progress interface symfony Fix PATH_INFO parsing [CVE-2025-64500]; drop failing Finder testsuite data entries tini Rebuild with updated glibc tripwire Rebuild with updated glibc tsocks Rebuild with updated glibc tzsetup Fix timezone for Argentina and Ukraine user-mode-linux Rebuild with Linux 6.12.63-1 yorick-gy Fix GIR module version loading for Gtk/Gdk; switch to multiarch-friendly libgirepository-1.0-dev build-dependency; incorporate GCC-14/15 build fixes; update watch file and metadata zsh Rebuild with updated glibc, pcre A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/stable.html> If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "[email protected]".
signature.asc
Description: This is a digitally signed message part
