Updated Debian 13: 13.1 released
September 6th, 2025
The Debian project is pleased to announce the first update of its
stable distribution Debian 13 (codename trixie
).
This point release mainly adds corrections for security issues,
along with a few adjustments for serious problems. Security advisories
have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian
13 but only updates some of the packages included. There is
no need to throw away old trixie
media. After installation,
packages can be upgraded to the current versions using an up-to-date Debian
mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following packages:
Package | Reason |
---|---|
auto-apt-proxy | Check explicitly configured proxies before network gateway |
base-files | Update for the point release |
courier | Fix courier-webmin |
debian-installer | Increase Linux kernel ABI to 6.12.43+deb13; rebuild against proposed-updates; add a workaround for a GRUB graphics initialisation bug |
debian-installer-netboot-images | Rebuild against proposed-updates |
desktop-base | Fix placement of plymouth prompts in multi-monitor setups |
devscripts | Update suite and codename mappings |
dpdk | New upstream point release |
ethtool | netlink: fix print_string when the value is NULL |
firebird3.0 | Fix null pointer dereference in XDR message parsing [CVE-2025-54989] |
flvstreamer | Stop installing rtmpsrv and rtmpsuck, avoiding file conflict with the rtmpdump package |
galera-4 | New upstream stable release |
git | New upstream bug-fix release; fix arbitrary file write issues [CVE-2025-27613 CVE-2025-46835]; fix code execution issues [CVE-2025-27614 CVE-2025-48384]; fix protocol injection issue, possibly leading to arbitrary code execution [CVE-2025-48385] |
glib2.0 | New upstream bugfix release; fix a corner case when upgrading from bookworm |
gnome-control-center | Fix a UI issue and an error display issue; translation updates |
gnome-online-accounts | New upstream bug-fix release; update translations |
gnome-shell | New upstream bugfix release |
golang-github-gin-contrib-cors | Fix mishandling of wildcards [CVE-2019-25211] |
gssdp | New upstream bug-fix release; fix issues with Since: and Deprecated: declarations in documentation |
imagemagick | Security fixes: heap buffer overflow in the InterpretImageFilenamefunction [CVE-2025-53014]; infinite loop when writing during a specific XMP file conversion command [CVE-2025-53015]; memory leak in the magick streamcommand [CVE-2025-53019]; stack overflow through vsnprintf()[CVE-2025-53101]; use-after-free when SetQuantumFormat is used [CVE-2025-43965]; in multispectral MIFF image processing, packet_size mishandling [CVE-2025-46393] |
init-system-helpers | Fix handling of os-release diversions from live-build, ensuring they don't exist in non-live systems |
installation-guide | Enable Hungarian and Ukrainian translations; fix boot-dev-select-arm64 and armhf-armmp-supported-platforms hyperlinks |
iperf3 | Fix buffer overflow issue [CVE-2025-54349]; fix assertion failure [CVE-2025-54350] |
kamailio | Relax OpenSSL version check to only match against major version |
libadwaita-1 | New upstream bugfix release |
libcgi-simple-perl | Fix HTTP response splitting issue [CVE-2025-40927] |
libcoap3 | Fix buffer overflow issue [CVE-2024-0962]; fix integer overflow issue [CVE-2024-31031] |
libreoffice | Add EUR support for Bulgaria; fix installation of Impress sound effects; fix playing of videos in Impress under Qt6 |
librepo | New upstream bug-fix release, fixing support for DNF5; improve handling of SELinux in the Debian packaging |
linux | New upstream stable release |
linux-signed-amd64 | New upstream stable release |
linux-signed-arm64 | New upstream stable release |
live-boot | Fix handling of os-release diversions from live-build, ensuring they don't exist in non-live systems |
live-build | Fix handling of os-release diversions, ensuring they don't exist in non-live systems |
mame | Fix translation building |
mariadb | New upstream stable release |
mate-sensors-applet | Fix crash at startup |
mmdebstrap | Support numeric UID in /etc/subgid and /etc/subuid |
modemmanager | Fix support for Fibocom FM350-GL |
mozjs128 | New upstream stable release; fix uninitialised memory issue [CVE-2025-9181], memory safety issues [CVE-2025-9185] |
network-manager-openvpn | New upstream stable release; fix multi-factor authentication in combination with non-ASCII characters |
nginx | Fix potential information leak in ngx_mail_smtp_module [CVE-2025-53859] |
node-tmp | Fix arbitrary file write issue [CVE-2025-54798] |
open-iscsi | Ensure /var/lib exists in initramfs |
openjpeg2 | Fix out-of-bounds write issue [CVE-2025-54874] |
orca | Add dependencies on python3-setproctitle and python3-psutil |
orphan-sysvinit-scripts | Fix installation of mdadm scripts |
pcre2 | New upstream stable release; fix potential information disclosure issue [CVE-2025-58050] |
postfix | New upstream stable release; fix copying of files to chroot |
postgresql-17 | New upstream stable release; tighten security checks in planner estimation functions [CVE-2025-8713]; prevent pg_dump scripts from being used to attack the user running the restore [CVE-2025-8714]; convert newlines to spaces in names included in comments in pg_dump output [CVE-2025-8715] |
ptyxis | New upstream bugfix release |
pyraf | Ensure compatibility with Python 3.13 |
qemu | New upstream bugfix release |
rabbitmq-server | Show proper plugin version numbers |
remind | Fix buffer overflow in DUMPVARS |
renpy | Fix font symlinks |
resource-agents | Handle cases where more than one route for an IP address exists |
rkward | Restore compatibility with R 4.5 |
samba | New upstream bugfix release |
sbuild | Support UID in /etc/sub(u|g)id; fix build path permissions when building as root; always append newline in binNMU changelog; allow empty BUILD_PATH in command line options |
shaarli | Fix cross site scripting issue [CVE-2025-55291] |
sound-theme-freedesktop | Link front-center sample to audio-channel-mono |
strongswan | Fix OpenSSL 3.5.1 support |
systemd | New upstream stable release |
systemd-boot-efi-amd64-signed | New upstream stable release |
systemd-boot-efi-arm64-signed | New upstream stable release |
thunar | Fix prompt before permanently deleting files |
timescaledb | Disable test that fails with Postgresql 17.6 |
transmission | Fix GTK app crash when LANG=fr |
tzdata | Confirm leap second status for 2025 |
wolfssl | Avoid weak and predictable random numbers [CVE-2025-7394] |
Security Updates
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
Package | Reason |
---|---|
guix | Unsupportable; security issues |
Debian Installer
The installer has been updated to include the fixes incorporated into stable by the point release.
URLs
The complete lists of packages that have changed with this revision:
The current stable distribution:
Proposed updates to the stable distribution:
stable distribution information (release notes, errata etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
Contact Information
For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.