Updated Debian 12: 12.11 released

May 17th, 2025

The Debian project is pleased to announce the eleventh update of its stable distribution Debian 12 (codename bookworm). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 12 but only updates some of the packages included. There is no need to throw away old bookworm media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list

Known issues

Linux 6.1.137-1, included with Debian 12.11 is unable to load the watchdog and w83977f_wdt modules on the amd64 architecture. This is a regression.

This issue will be fixed in a forthcoming update.

Users who rely on the watchdog functionality should disable their watchdog or avoid upgrading to this version of the kernel until a fix is available.

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package	Reason
abseil	Fix heap buffer overflow issue [CVE-2025-0838]; fix build failure on ppc64el
adonthell	Fix compatibility with SWIG 4.1
base-files	Update for the point release
bash	Rebuild for outdated Built-Using (glibc/2.36-9+deb12u5)
busybox	Rebuild for outdated Built-Using (glibc/2.36-9)
cdebootstrap	Rebuild for outdated Built-Using (glibc/2.36-9)
chkrootkit	Rebuild for outdated Built-Using (glibc/2.36-9+deb12u5)
crowdsec	Rebuild for outdated Built-Using (docker.io/20.10.24+dfsg1-1)
dar	Rebuild for outdated Built-Using (glibc/2.36-9+deb12u5)
debian-archive-keyring	Add archive signing and SRM keys for trixie (Debian 13); move buster (Debian 10) keys to removed keyring
debian-installer	Increase Linux kernel ABI to 6.1.0-35; rebuild against proposed-updates
debian-installer-netboot-images	Rebuild against proposed-updates
debian-security-support	Update list of packages receiving limited support, or unsupported, in bookworm
distro-info-data	Add Debian 15 and Ubuntu 25.10
docker.io	Rebuild for outdated Built-Using (containerd/1.6.20~ds1-1, glibc/2.36-9+deb12u8)
dpdk	New upstream stable release
fig2dev	Reject huge pattern lengths [CVE-2025-31162]; reject arcs with co-incident points [CVE-2025-31163]; allow an arc-box with zero radius [CVE-2025-31164]
fossil	Fix interaction with an Apache HTTP server including the fix for CVE-2024-24795
gcc-12	Fix -fstack-protector handling of overflows on AArch64 [CVE-2023-4039]
gcc-mingw-w64	Rebuild for outdated Built-Using (gcc-12/12.2.0-13)
glib2.0	Fix integer overflow in g_date_time_new_from_iso8601() [CVE-2025-3360]
golang-github-containerd-stargz-snapshotter	Rebuild for outdated Built-Using (containerd/1.6.20~ds1-1, runc/1.1.5+ds1-1)
golang-github-containers-buildah	Rebuild for outdated Built-Using (containerd/1.6.20~ds1-1)
golang-github-openshift-imagebuilder	Rebuild for outdated Built-Using (containerd/1.6.20~ds1-1, docker.io/20.10.24+dfsg1-1)
haproxy	Fix heap buffer overflow issue [CVE-2025-32464]
igtf-policy-bundle	Backport current policy bundle
imagemagick	Fix MIFF image depth mishandled after SetQuantumFormat [CVE-2025-43965]
initramfs-tools	Restore copy_file's handling of target ending in slash; exclude usr-merge symlinks in copy_file; add reset drivers when MODULES=dep
krb5	Fix memory leak in ndr.c [CVE-2024-26462]; prevent buffer overflow when calculating ulog buffer size [CVE-2025-24528]
libbson-xs-perl	Fix security issues in embedded copy of libbson: denial of service [CVE-2017-14227]; buffer over-read [CVE-2018-16790]; infinite loop [CVE-2023-0437]; memory corruption [CVE-2024-6381]; buffer overflows [CVE-2024-6383 CVE-2025-0755]
libcap2	Fix incorrect recognition of group names [CVE-2025-1390]
libdata-entropy-perl	Seed entropy pool with urandom by default [CVE-2025-1860]
libpod	Rebuild for outdated Built-Using (containerd/1.6.20~ds1-1, docker.io/20.10.24+dfsg1-1, golang-github-containers-buildah/1.28.2+ds1-3)
libsub-handlesvia-perl	Fix arbitrary code execution issue [CVE-2025-30673]
linux	New upstream release; bump ABI to 35
linux-signed-amd64	New upstream release; bump ABI to 35
linux-signed-arm64	New upstream release; bump ABI to 35
linux-signed-i386	New upstream release; bump ABI to 35
logcheck	Respect removal of /etc/logcheck/header.txt
mongo-c-driver	Fix infinite loop issue [CVE-2023-0437]; fix integer overflow issue [CVE-2024-6381]; fix buffer overflow issues [CVE-2024-6383 CVE-2025-0755]
network-manager	Fix crash dereferencing NULL pointer during debug logging [CVE-2024-6501]
nginx	Fix buffer underread and unordered chunk vulnerabilities in mp4 [CVE-2024-7347]
node-fstream-ignore	Fix build failure by not running tests in parallel
node-send	Fix cross-site scripting issue [CVE-2024-43799]
node-serialize-javascript	Fix cross-site scripting issue [CVE-2024-11831]
nvidia-graphics-drivers	New upstream stable release; remove ppc64el support (migrated to src:nvidia-graphics-drivers-tesla-535); fix build issues with newer kernel versions; security fixes [CVE-2024-0131 CVE-2024-0147 CVE-2024-0149 CVE-2024-0150 CVE-2024-53869 CVE-2025-23244]
nvidia-graphics-drivers-tesla	New upstream stable release; transition to packages from src:nvidia-graphics-drivers-tesla-535 on ppc64el; fix build issues with newer kernel versions
nvidia-graphics-drivers-tesla-535	New package for the now EOL ppc64el support
nvidia-open-gpu-kernel-modules	New upstream stable release; security fixes [CVE-2024-0131 CVE-2024-0147 CVE-2024-0149 CVE-2024-0150 CVE-2024-53869 CVE-2025-23244]
nvidia-settings	New upstream stable release; drop support for some obsolete packages; relax the nvidia-alternative dependency to a suggestion on ppc64el
openrazer	Fix out of bounds read issue [CVE-2025-32776]
opensnitch	Rebuild for outdated Built-Using (golang-github-google-nftables/0.1.0-3)
openssh	Fix the DisableForwarding directive [CVE-2025-32728]
openssl	New upstream stable release; fix timing side channel issue [CVE-2024-13176]
openvpn	Avoid possible ASSERT() on OpenVPN servers using --tls-crypt-v2 [CVE-2025-2704]; prevent malicious peer DoS or log-flooding [CVE-2024-5594]; refuse multiple exit notifications from authenticated clients [CVE-2024-28882]; update expired certificates in build tests
phpmyadmin	Fix XSS vulnerabilities [CVE-2025-24529 CVE-2025-24530]
policyd-rate-limit	Fix startup with newer python3-yaml
poppler	Fix crash on malformed files [CVE-2023-34872]; fix out-of-bounds read issues [CVE-2024-56378 CVE-2025-32365]; fix floating point exception issue [CVE-2025-32364]
postgresql-15	New upstream stable release; fix buffer over-read issue [CVE-2025-4207]
prometheus	Rebuild for outdated Built-Using (docker.io/20.10.24+dfsg1-1)
prometheus-postfix-exporter	Rebuild for outdated Built-Using (docker.io/20.10.24+dfsg1-1)
python-h11	Fix request smuggling issue [CVE-2025-43859]
python3.11	Fix misparsing issues [CVE-2025-0938 CVE-2025-1795]
qemu	Rebuild for outdated Built-Using (glibc/2.36-9+deb12u9, gnutls28/3.7.9-2+deb12u3); new upstream bugfix release
qtbase-opensource-src	Delay HTTP2 communication until encrypted() can be responded to [CVE-2024-39936]; fix crash with null checks in table iface methods
redis	Fix denial of service issue [CVE-2025-21605]
renaissance	Avoid exception on startup
sash	Rebuild for outdated Built-Using (glibc/2.36-9)
shadow	Fix password leak issue [CVE-2023-4641]; fix chfn control character injection issue [CVE-2023-29383]
skeema	Rebuild for outdated Built-Using (containerd/1.6.20~ds1-1, docker.io/20.10.24+dfsg1-1)
skopeo	Rebuild for outdated Built-Using (docker.io/20.10.24+dfsg1-1)
telegram-desktop	Rebuild for outdated Built-Using (ms-gsl/4.0.0-2)
tripwire	Rebuild for outdated Built-Using (glibc/2.36-9+deb12u5)
twitter-bootstrap3	Fix cross-site scripting issues [CVE-2024-6485 CVE-2024-6484]
twitter-bootstrap4	Fix cross-site scripting issue [CVE-2024-6531]
tzdata	New America/Coyhaique zone for Aysén Region in Chile
user-mode-linux	Rebuild for outdated Built-Using (linux/6.1.82-1)
varnish	Prevent HTTP/1 client-side desync [CVE-2025-30346]
wireless-regdb	New upstream release
xmedcon	Fix buffer overflow [CVE-2025-2581]
zsh	Rebuild for outdated Built-Using (glibc/2.36-9+deb12u5, libcap2/1:2.66-4)

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID	Package
DSA-5877	chromium
DSA-5878	php8.2
DSA-5879	opensaml
DSA-5880	freetype
DSA-5881	rails
DSA-5882	chromium
DSA-5883	mercurial
DSA-5884	libxslt
DSA-5885	webkit2gtk
DSA-5886	ruby-rack
DSA-5887	exim4
DSA-5888	ghostscript
DSA-5889	firefox-esr
DSA-5890	chromium
DSA-5891	thunderbird
DSA-5892	atop
DSA-5893	tomcat10
DSA-5894	jetty9
DSA-5895	xz-utils
DSA-5896	trafficserver
DSA-5897	lemonldap-ng
DSA-5898	chromium
DSA-5899	webkit2gtk
DSA-5900	linux-signed-amd64
DSA-5900	linux-signed-arm64
DSA-5900	linux-signed-i386
DSA-5900	linux
DSA-5901	mediawiki
DSA-5902	perl
DSA-5903	chromium
DSA-5904	libapache2-mod-auth-openidc
DSA-5905	graphicsmagick
DSA-5906	erlang
DSA-5907	linux-signed-amd64
DSA-5907	linux-signed-arm64
DSA-5907	linux-signed-i386
DSA-5907	linux
DSA-5908	libreoffice
DSA-5909	request-tracker5
DSA-5910	firefox-esr
DSA-5911	request-tracker4
DSA-5912	thunderbird
DSA-5913	openjdk-17
DSA-5915	vips
DSA-5917	libapache2-mod-auth-openidc

Removed packages

The following packages were removed due to circumstances beyond our control:

Package	Reason
pidgin-skype	Useless as service discontinued
viagee	No longer able to connect to gmail

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

https://deb.debian.org/debian/dists/bookworm/ChangeLog

The current stable distribution:

https://deb.debian.org/debian/dists/stable/

Proposed updates to the stable distribution:

https://deb.debian.org/debian/dists/proposed-updates

stable distribution information (release notes, errata etc.):

https://www.debian.org/releases/stable/

Security announcements and information:

https://www.debian.org/security/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.