Uppdaterad Debian 12; 12.11 utgiven

17 maj 2025

Debianprojektet presenterar stolt sin elfte uppdatering till dess stabila utgåva Debian 12 (med kodnamnet bookworm). Denna punktutgåva lägger huvudsakligen till rättningar för säkerhetsproblem, tillsammans med ytterligare rättningar för allvarliga problem. Säkerhetsbulletiner har redan publicerats separat och refereras när de finns tillgängliga.

Vänligen notera att punktutgåvan inte innebär en ny version av Debian 12 utan endast uppdaterar några av de inkluderade paketen. Det behövs inte kastas bort gamla media av bookworm. Efter installationen kan paket uppgraderas till de aktuella versionerna genom att använda en uppdaterad Debianspegling..

De som frekvent installerar uppdateringar från security.debian.org kommer inte att behöva uppdatera många paket, och de flesta av sådana uppdateringar finns inkluderade i punktutgåvan.

Nya installationsavbildningar kommer snart att finnas tillgängliga på de vanliga platserna.

En uppgradering av en existerande installation till denna revision kan utföras genom att peka pakethanteringssystemet på en av Debians många HTTP-speglingar. En utförlig lista på speglingar finns på:

https://www.debian.org/mirror/list

Kända problem

Linux 6.1.137-1, som inkluderades med Debian 12.11 kan inte ladda modulerna watchdog och w83977f_wdt på amd64-arkitekturen. Detta är en regression.

Detta problem kommer att rättas i en kommande uppdatering.

Användare som är beroende av watchdog-funktionaliteten bör inaktivera sin watchdog eller undvika att uppgradera till denna version av kärnan tills en rättning finns tillgänglig.

Blandade felrättningar

Denna uppdatering av den stabila utgåvan lägger till några viktiga felrättningar till följande paket:

Paket	Orsak
abseil	Fix heap buffer overflow issue [CVE-2025-0838]; fix build failure on ppc64el
adonthell	Fix compatibility with SWIG 4.1
base-files	Update for the point release
bash	Rebuild for outdated Built-Using (glibc/2.36-9+deb12u5)
busybox	Rebuild for outdated Built-Using (glibc/2.36-9)
cdebootstrap	Rebuild for outdated Built-Using (glibc/2.36-9)
chkrootkit	Rebuild for outdated Built-Using (glibc/2.36-9+deb12u5)
crowdsec	Rebuild for outdated Built-Using (docker.io/20.10.24+dfsg1-1)
dar	Rebuild for outdated Built-Using (glibc/2.36-9+deb12u5)
debian-archive-keyring	Add archive signing and SRM keys for trixie (Debian 13); move buster (Debian 10) keys to removed keyring
debian-installer	Increase Linux kernel ABI to 6.1.0-35; rebuild against proposed-updates
debian-installer-netboot-images	Rebuild against proposed-updates
debian-security-support	Update list of packages receiving limited support, or unsupported, in bookworm
distro-info-data	Add Debian 15 and Ubuntu 25.10
docker.io	Rebuild for outdated Built-Using (containerd/1.6.20~ds1-1, glibc/2.36-9+deb12u8)
dpdk	New upstream stable release
fig2dev	Reject huge pattern lengths [CVE-2025-31162]; reject arcs with co-incident points [CVE-2025-31163]; allow an arc-box with zero radius [CVE-2025-31164]
fossil	Fix interaction with an Apache HTTP server including the fix for CVE-2024-24795
gcc-12	Fix -fstack-protector handling of overflows on AArch64 [CVE-2023-4039]
gcc-mingw-w64	Rebuild for outdated Built-Using (gcc-12/12.2.0-13)
glib2.0	Fix integer overflow in g_date_time_new_from_iso8601() [CVE-2025-3360]
golang-github-containerd-stargz-snapshotter	Rebuild for outdated Built-Using (containerd/1.6.20~ds1-1, runc/1.1.5+ds1-1)
golang-github-containers-buildah	Rebuild for outdated Built-Using (containerd/1.6.20~ds1-1)
golang-github-openshift-imagebuilder	Rebuild for outdated Built-Using (containerd/1.6.20~ds1-1, docker.io/20.10.24+dfsg1-1)
haproxy	Fix heap buffer overflow issue [CVE-2025-32464]
igtf-policy-bundle	Backport current policy bundle
imagemagick	Fix MIFF image depth mishandled after SetQuantumFormat [CVE-2025-43965]
initramfs-tools	Restore copy_file's handling of target ending in slash; exclude usr-merge symlinks in copy_file; add reset drivers when MODULES=dep
krb5	Fix memory leak in ndr.c [CVE-2024-26462]; prevent buffer overflow when calculating ulog buffer size [CVE-2025-24528]
libbson-xs-perl	Fix security issues in embedded copy of libbson: denial of service [CVE-2017-14227]; buffer over-read [CVE-2018-16790]; infinite loop [CVE-2023-0437]; memory corruption [CVE-2024-6381]; buffer overflows [CVE-2024-6383 CVE-2025-0755]
libcap2	Fix incorrect recognition of group names [CVE-2025-1390]
libdata-entropy-perl	Seed entropy pool with urandom by default [CVE-2025-1860]
libpod	Rebuild for outdated Built-Using (containerd/1.6.20~ds1-1, docker.io/20.10.24+dfsg1-1, golang-github-containers-buildah/1.28.2+ds1-3)
libsub-handlesvia-perl	Fix arbitrary code execution issue [CVE-2025-30673]
linux	New upstream release; bump ABI to 35
linux-signed-amd64	New upstream release; bump ABI to 35
linux-signed-arm64	New upstream release; bump ABI to 35
linux-signed-i386	New upstream release; bump ABI to 35
logcheck	Respect removal of /etc/logcheck/header.txt
mongo-c-driver	Fix infinite loop issue [CVE-2023-0437]; fix integer overflow issue [CVE-2024-6381]; fix buffer overflow issues [CVE-2024-6383 CVE-2025-0755]
network-manager	Fix crash dereferencing NULL pointer during debug logging [CVE-2024-6501]
nginx	Fix buffer underread and unordered chunk vulnerabilities in mp4 [CVE-2024-7347]
node-fstream-ignore	Fix build failure by not running tests in parallel
node-send	Fix cross-site scripting issue [CVE-2024-43799]
node-serialize-javascript	Fix cross-site scripting issue [CVE-2024-11831]
nvidia-graphics-drivers	New upstream stable release; remove ppc64el support (migrated to src:nvidia-graphics-drivers-tesla-535); fix build issues with newer kernel versions; security fixes [CVE-2024-0131 CVE-2024-0147 CVE-2024-0149 CVE-2024-0150 CVE-2024-53869 CVE-2025-23244]
nvidia-graphics-drivers-tesla	New upstream stable release; transition to packages from src:nvidia-graphics-drivers-tesla-535 on ppc64el; fix build issues with newer kernel versions
nvidia-graphics-drivers-tesla-535	New package for the now EOL ppc64el support
nvidia-open-gpu-kernel-modules	New upstream stable release; security fixes [CVE-2024-0131 CVE-2024-0147 CVE-2024-0149 CVE-2024-0150 CVE-2024-53869 CVE-2025-23244]
nvidia-settings	New upstream stable release; drop support for some obsolete packages; relax the nvidia-alternative dependency to a suggestion on ppc64el
openrazer	Fix out of bounds read issue [CVE-2025-32776]
opensnitch	Rebuild for outdated Built-Using (golang-github-google-nftables/0.1.0-3)
openssh	Fix the DisableForwarding directive [CVE-2025-32728]
openssl	New upstream stable release; fix timing side channel issue [CVE-2024-13176]
openvpn	Avoid possible ASSERT() on OpenVPN servers using --tls-crypt-v2 [CVE-2025-2704]; prevent malicious peer DoS or log-flooding [CVE-2024-5594]; refuse multiple exit notifications from authenticated clients [CVE-2024-28882]; update expired certificates in build tests
phpmyadmin	Fix XSS vulnerabilities [CVE-2025-24529 CVE-2025-24530]
policyd-rate-limit	Fix startup with newer python3-yaml
poppler	Fix crash on malformed files [CVE-2023-34872]; fix out-of-bounds read issues [CVE-2024-56378 CVE-2025-32365]; fix floating point exception issue [CVE-2025-32364]
postgresql-15	New upstream stable release; fix buffer over-read issue [CVE-2025-4207]
prometheus	Rebuild for outdated Built-Using (docker.io/20.10.24+dfsg1-1)
prometheus-postfix-exporter	Rebuild for outdated Built-Using (docker.io/20.10.24+dfsg1-1)
python-h11	Fix request smuggling issue [CVE-2025-43859]
python3.11	Fix misparsing issues [CVE-2025-0938 CVE-2025-1795]
qemu	Rebuild for outdated Built-Using (glibc/2.36-9+deb12u9, gnutls28/3.7.9-2+deb12u3); new upstream bugfix release
qtbase-opensource-src	Delay HTTP2 communication until encrypted() can be responded to [CVE-2024-39936]; fix crash with null checks in table iface methods
redis	Fix denial of service issue [CVE-2025-21605]
renaissance	Avoid exception on startup
sash	Rebuild for outdated Built-Using (glibc/2.36-9)
shadow	Fix password leak issue [CVE-2023-4641]; fix chfn control character injection issue [CVE-2023-29383]
skeema	Rebuild for outdated Built-Using (containerd/1.6.20~ds1-1, docker.io/20.10.24+dfsg1-1)
skopeo	Rebuild for outdated Built-Using (docker.io/20.10.24+dfsg1-1)
telegram-desktop	Rebuild for outdated Built-Using (ms-gsl/4.0.0-2)
tripwire	Rebuild for outdated Built-Using (glibc/2.36-9+deb12u5)
twitter-bootstrap3	Fix cross-site scripting issues [CVE-2024-6485 CVE-2024-6484]
twitter-bootstrap4	Fix cross-site scripting issue [CVE-2024-6531]
tzdata	New America/Coyhaique zone for Aysén Region in Chile
user-mode-linux	Rebuild for outdated Built-Using (linux/6.1.82-1)
varnish	Prevent HTTP/1 client-side desync [CVE-2025-30346]
wireless-regdb	New upstream release
xmedcon	Fix buffer overflow [CVE-2025-2581]
zsh	Rebuild for outdated Built-Using (glibc/2.36-9+deb12u5, libcap2/1:2.66-4)

Säkerhetsuppdateringar

Denna revision lägger till följande säkerhetsuppdateringar till den stabila utgåvan. Säkerhetsgruppen har redan släppt bulletiner för alla dessa uppdateringar:

Bulletin-ID	Paket
DSA-5877	chromium
DSA-5878	php8.2
DSA-5879	opensaml
DSA-5880	freetype
DSA-5881	rails
DSA-5882	chromium
DSA-5883	mercurial
DSA-5884	libxslt
DSA-5885	webkit2gtk
DSA-5886	ruby-rack
DSA-5887	exim4
DSA-5888	ghostscript
DSA-5889	firefox-esr
DSA-5890	chromium
DSA-5891	thunderbird
DSA-5892	atop
DSA-5893	tomcat10
DSA-5894	jetty9
DSA-5895	xz-utils
DSA-5896	trafficserver
DSA-5897	lemonldap-ng
DSA-5898	chromium
DSA-5899	webkit2gtk
DSA-5900	linux-signed-amd64
DSA-5900	linux-signed-arm64
DSA-5900	linux-signed-i386
DSA-5900	linux
DSA-5901	mediawiki
DSA-5902	perl
DSA-5903	chromium
DSA-5904	libapache2-mod-auth-openidc
DSA-5905	graphicsmagick
DSA-5906	erlang
DSA-5907	linux-signed-amd64
DSA-5907	linux-signed-arm64
DSA-5907	linux-signed-i386
DSA-5907	linux
DSA-5908	libreoffice
DSA-5909	request-tracker5
DSA-5910	firefox-esr
DSA-5911	request-tracker4
DSA-5912	thunderbird
DSA-5913	openjdk-17
DSA-5915	vips
DSA-5917	libapache2-mod-auth-openidc

Borttagna paket

Följande paket har tagits bort på grund av omständigheter utom vår kontroll:

Paket	Orsak
pidgin-skype	Oanvändbar då tjänsten har upphört
viagee	Kan inte längre ansluta till gmail

Debianinstalleraren

Installeraren har uppdaterats för att inkludera rättningarna som har inkluderats i den stabila utgåvan med denna punktutgåva.

URLer

Den fullständiga listan på paket som har förändrats i denna revision:

https://deb.debian.org/debian/dists/bookworm/ChangeLog

Den aktuella stabila utgåvan:

https://deb.debian.org/debian/dists/stable/

Föreslagna uppdateringar till den stabila utgåvan:

https://deb.debian.org/debian/dists/proposed-updates

Information om den stabila utgåvan (versionsfakta, kända problem osv.):

https://www.debian.org/releases/stable/

Säkerhetsbulletiner och information:

https://www.debian.org/security/

Om Debian

Debianprojektet är en grupp utvecklare av Fri mjukvara som donerar sin tid och kraft för att producera det helt fria operativsystemet Debian.

Kontaktinformation

För ytterligare information, vänligen besök Debians webbplats på https://www.debian.org/, skicka e-post till <press@debian.org>, eller kontakta gruppen för stabila utgåvor på <debian-release@lists.debian.org>.