---------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 278-1 https://www.debian.org/ [email protected] Adam D. Barratt January 5th, 2026 ----------------------------------------------------------------------------
Upcoming Debian 12 Update (12.13) An update to Debian 12 is scheduled for Saturday, January 10th, 2026. As of now it will include the following bug fixes. They can be found in "bookworm- proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "bookworm-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "[email protected]" on your mails. The point release will also include a rebuild of debian-installer. Miscellaneous Bugfixes ---------------------- This oldstable update adds a few important corrections to the following packages: Package Reason ------- ------ allow-html-temp New upstream version to support newer Thunderbird releases angular.js Fix regular expression-based denial of service issues [CVE-2022-25844 CVE-2023-26116 CVE-2023-26117 CVE-2023-26118]; fix restriction bypass issues [CVE-2024-8372 CVE-2024-8373]; fix denial of service issue [CVE-2024-21490]; fix improper sanitization issues [CVE-2025-0716 CVE-2025-2336] apache2 New upstream stable release; fix integer overflow issue [CVE-2025-55753]; don't pass querystring to #exec directives [CVE-2025-58098]; fix improper parsing of environment variables [CVE-2025-65082]; fix mod_userdir+suexec bypass issue [CVE-2025-66200] base-files Update for the point release bash Rebuild with updated glibc btrfs-progs Device stats: fix printing wrong values in tabular output busybox Rebuild with updated glibc c-icap-modules Rebuild against libclamav12; disable clamav support on armel, mipsel and mips64el calibre Fix code execution issue [CVE-2025-64486] cdebootstrap Rebuild with updated glibc chkrootkit Rebuild with updated glibc clamav New upstream release; fix denial of service issue composer Fix ANSI sequence injection [CVE-2025-67746] cups-filters Fix TIFF parser bounds/validation issues [CVE-2025-57812]; clamp oversized PDF MediaBox- derived page size in pdftoraster [CVE-2025-64503]; avoid rastertopclx infinite loop and heap overflow on crafted raster input [CVE-2025-64524] cyrus-imapd Rebuild against libclamav12; disable clamav support on armel, mipsel and mips64el dar Rebuild with updated glibc debian-security-support Mark hdf5, libsoup2.4, libsoup3 and zabbix as receiving limited support; mark dnsdist, pdns, pdns-recursor as unsupported distro-info-data Update bookworm EoL date; add Ubuntu 26.04 LTS "Resolute Raccoon" docker.io Rebuild with updated containerd, glibc dpdk New upstream stable release emacs-libvterm Convert elpa-vterm to an architecture-dependent package freerdp2 New upstream release; fix multiple memory- safety vulnerabilities: integer overflow/underflow and out-of-bounds write in NSC, Clear, and GDI bitmap codecs [CVE-2024-22211 CVE-2024-32037 CVE-2024-32038 CVE-2024-32039 CVE-2024-32040]; out-of-bounds reads in ZGFX, Planar, NCRUSH, Interleaved, and RFX codecs [CVE-2024-32041 CVE-2024-32457 CVE-2024-32458 CVE-2024-32459 CVE-2024-32460]; invalid memory access in freerdp_peer_get_logon_info [CVE-2024-32661]; bounds-check and overflow fixes; update for GCC 14 / FFmpeg 7 build compatibility gcc-bpf Rebuild with updated glibc gcc-or1k-elf Rebuild with updated glibc gcc-riscv64-unknown-elf Rebuild with updated glibc gcc-xtensa-lx106 Rebuild with updated glibc gdk-pixbuf Fix buffer overflow issue [CVE-2025-7345] ghdl Rebuild with updated glibc git Fix arbitrary file creation/truncation in gitk [CVE-2025-27613]; prevent arbitrary file overwrite in git-gui with crafted directory names [CVE-2025-46835]; correct submodule path parsing with trailing CR [CVE-2025-48384]; validate bundle-uri to prevent protocol injection during clone [CVE-2025-48385] glib2.0 Prevent various integer overflows [CVE-2025-13601 CVE-2025-14087 CVE-2025-14512] gnupg2 Avoid potential downgrade to SHA1 in 3rd party key signatures; error out on unverified output for non-detached signatures; fix possible memory corruption in the armor parser [CVE-2025-68973]; do not use a default when asking for another output filename golang-github-containerd- Rebuild with updated containerd stargz-snapshotter golang-github-containers- Rebuild with updated containerd buildah golang-github-openshift- Rebuild with updated containerd imagebuilder imagemagick Fix denial of service issues [CVE-2025-62594 CVE-2025-68618]; fix use-after-free issue [CVE-2025-65955]; fix integer overflow issues [CVE-2025-62171 CVE-2025-66628 CVE-2025-69204]; fix infinite loop issue [CVE-2025-68950] intel-microcode Update Intel processor microcode to 20251111 lemonldap-ng Fix sessions tablename when not default; fix oidc flow when user encountered an error on server side; fix Kerberos JavaScript when used with "Choice"; improve CORS checking; fix path_info handling; fix shell injection issue [CVE-2025-59518]; hide session id from Ajax responses libcap2 Rebuild with updated glibc libclamunrar New upsream release, aligning with clamav 1.4.3 libcommons-lang-java Fix uncontrolled recursion issue [CVE-2025-48924] libcommons-lang3-java Fix uncontrolled recursion issue [CVE-2025-48924] libhtp Prevent denial of service via unbounded HTTP header processing [CVE-2024-23837 CVE-2024-45797] libnginx-mod-http-lua Fix HTTP HEAD request smuggling [CVE-2024-33452] libphp-adodb Fix SQL injection in sqlite and sqlite3 metadata lookups [CVE-2025-54119] libpod Rebuild with updated containerd libreoffice Set Bulgaria locale default currency to EUR libssh Fix integer overflow issue [CVE-2025-4877]; fix use of uninitialized variable [CVE-2025-4878]; fix out of bounds memory access issue [CVE-2025-5318]; fix double free issue [CVE-2025-5351]; fix use of uninitialized memory [CVE-2025-5372 CVE-2025-5987]; fix null pointer dereference issue [CVE-2025-8114]; fix memory leak [CVE-2025-8277] libxml2 Fix denial of service issue [CVE-2025-9714] libyaml-syck-perl Fix memory corruption leading to "str" value being set on empty keys linux New upstream stable release linux-signed-amd64 New upstream stable release linux-signed-arm64 New upstream stable release linux-signed-i386 New upstream stable release log4cxx Fix improper escaping issues [CVE-2025-54812 CVE-2025-54813] luksmeta Fix data corruption issue with LUKS1 [CVE-2025-11568] modsecurity-apache Fix request body error handling to propagate Apache filter/read failures correctly [CVE-2025-54571]; map request body read failures to appropriate HTTP status codes; simplify request body error propagation in mod_security2 mongo-c-driver Avoid invalid memory reads [CVE-2025-12119] mydumper Fix arbitrary file read issue [CVE-2025-30224] nvidia-graphics-drivers New upstream bugfix release [CVE-2025-23279 CVE-2025-23286] nvidia-open-gpu-kernel- New upstream bugfix release [CVE-2025-23279 modules CVE-2025-23286] onetbb Fix build failure on single-CPU and CI environments by skipping problematic tests open-vm-tools Disable SDMP service version collection by default to mitigate local privilege escalation [CVE-2025-41244] openrefine Fix MySQL host parameter injection in JDBC URL parsing [CVE-2024-23833]; fix reflected XSS in gdata OAuth callback handler [CVE-2024-47878]; fix content-type confusion XSS in ExportRows endpoint [CVE-2024-47880]; prevent remote or extension loading via SQLite connection URL [CVE-2024-47881]; escape HTML in error stack traces [CVE-2024-47882]; prevent path traversal in language file loading [CVE-2024-49760] openssl New upstream stable release pam Fix local privilege escalation in pam_namespace [CVE-2025-6020] pg-snakeoil Rebuild against libclamav12 pgbouncer Fix arbitary SQL execution issue [CVE-2025-12819]; fix expired password use issue [CVE-2025-2291] postgresql-15 New upstream stable release; check for CREATE privileges on the schema in CREATE STATISTICS [CVE-2025-12817]; avoid integer overflow in allocation-size calculations within libpq [CVE-2025-12818] python-django Fix regular expression-based denial of service issue [CVE-2023-36053], denial of service issues [CVE-2024-38875 CVE-2024-39614 CVE-2024-41990 CVE-2024-41991], user enumeration issue [CVE-2024-39329], directory traversal issue [CVE-2024-39330], excessive memory consumption issue [CVE-2024-41989], SQL injection issue [CVE-2024-42005] qemu New upstream stable release; fix "qemu-img info https://example.com";; fix migration of guests using virtio-net; fix use after free issue [CVE-2025-11234] qpwgraph Add missing dependency on libqt6svg6 r-cran-gh Fix sensitive data leak issue [CVE-2025-54956] rear Prevent created initrd from being world- readable when GRUB_RESCUE=y [CVE-2024-23301] rescue Improve btrfs support rlottie Fix outlying coordinate rejection in FreeType rasteriser [CVE-2025-0634 CVE-2025-53074 CVE-2025-53075] rsync Improve test coverage for future updates; fix out-of-bounds read via negative array index in sender file list handling [CVE-2025-10158] ruby-sinatra Fix regular expression-based denial of service issue [CVE-2025-61921] rust-cbindgen-web New upstream release, to support building newer Mozilla software versions samba Fix information leak issue [CVE-2018-14628]; fix command injection issue [CVE-2025-10230]; fix uninitialized memory disclosure issue [CVE-2025-9640] sash Rebuild with updated glibc shadow Prevent segmentation fault in groupmod skeema Rebuild with updated containerd snapd Rebuild with updated containerd sogo Fix HTML injection issue [CVE-2023-48104]; fix CSS injection issue [CVE-2024-24510]; fix cross-site scripting issues [CVE-2025-63498 CVE-2025-63499]; fix crash on invalid mailIdentities; fix typo in previous upload squid Fix denial of service issue [CVE-2023-46728]; fix mishandling of long SNMP OIDs in ASN.1 [CVE-2025-59362]; disable ESI feature support, fixing several issues [CVE-2024-45802]; remove Gopher support sudo Enable Intel CET on amd64 only supermin Rebuild with updated glibc symfony Fix PATH_INFO parsing [CVE-2025-64500]; drop failing Finder testsuite data entries syslog-ng Fix incorrect wildcard matching in certificate names [CVE-2024-47619] tripwire Rebuild with updated glibc u-boot Fix integer overflow issues [CVE-2024-57254 CVE-2024-57255 CVE-2024-57256 CVE-2024-57258]; fix stack consumption issue [CVE-2024-57257]; fix heap corruption issue [CVE-2024-57259] ublock-origin New upstream release; improve user experience and add new filter capabilities; fix denial of service issue [CVE-2025-4215] unbound Fix denial of service issue [CVE-2024-33655]; fix possible domain hijack issue [CVE-2025-11411]; fix "unbound-anchor cannot deal with full disk"; fix potential amplification DDoS attacks; fix incorrect return of NODATA for some ANY queries user-mode-linux Rebuild with updated linux vtk9 Fix inability to read VTK XML files with appended data on newer expat zsh Rebuild with updated glibc, libcap2 A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/oldstable.html> Removed packages ---------------- The following packages will be removed due to circumstances beyond our control: Package Reason ------- ------ clamav [armel mipsel No longer supportable on architectures without mips64el] newer Rust support libc-icap-mod-virus-scan Depends on to-be-removed clamav [armel mipsel mips64el] pagure Broken, security issues pg-snakeoil [armel mipsel Depends on to-be-removed clamav mips64el] If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "[email protected]".
signature.asc
Description: This is a digitally signed message part
