Updated Debian 13: 13.1 released

September 6th, 2025

The Debian project is pleased to announce the first update of its stable distribution Debian 13 (codename trixie). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 13 but only updates some of the packages included. There is no need to throw away old trixie media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package Reason
auto-apt-proxy Check explicitly configured proxies before network gateway
base-files Update for the point release
courier Fix courier-webmin
debian-installer Increase Linux kernel ABI to 6.12.43+deb13; rebuild against proposed-updates; add a workaround for a GRUB graphics initialisation bug
debian-installer-netboot-images Rebuild against proposed-updates
desktop-base Fix placement of plymouth prompts in multi-monitor setups
devscripts Update suite and codename mappings
dpdk New upstream point release
ethtool netlink: fix print_string when the value is NULL
firebird3.0 Fix null pointer dereference in XDR message parsing [CVE-2025-54989]
flvstreamer Stop installing rtmpsrv and rtmpsuck, avoiding file conflict with the rtmpdump package
galera-4 New upstream stable release
git New upstream bug-fix release; fix arbitrary file write issues [CVE-2025-27613 CVE-2025-46835]; fix code execution issues [CVE-2025-27614 CVE-2025-48384]; fix protocol injection issue, possibly leading to arbitrary code execution [CVE-2025-48385]
glib2.0 New upstream bugfix release; fix a corner case when upgrading from bookworm
gnome-control-center Fix a UI issue and an error display issue; translation updates
gnome-online-accounts New upstream bug-fix release; update translations
gnome-shell New upstream bugfix release
golang-github-gin-contrib-cors Fix mishandling of wildcards [CVE-2019-25211]
gssdp New upstream bug-fix release; fix issues with Since: and Deprecated: declarations in documentation
imagemagick Security fixes: heap buffer overflow in the InterpretImageFilename function [CVE-2025-53014]; infinite loop when writing during a specific XMP file conversion command [CVE-2025-53015]; memory leak in the magick stream command [CVE-2025-53019]; stack overflow through vsnprintf() [CVE-2025-53101]; use-after-free when SetQuantumFormat is used [CVE-2025-43965]; in multispectral MIFF image processing, packet_size mishandling [CVE-2025-46393]
init-system-helpers Fix handling of os-release diversions from live-build, ensuring they don't exist in non-live systems
installation-guide Enable Hungarian and Ukrainian translations; fix boot-dev-select-arm64 and armhf-armmp-supported-platforms hyperlinks
iperf3 Fix buffer overflow issue [CVE-2025-54349]; fix assertion failure [CVE-2025-54350]
kamailio Relax OpenSSL version check to only match against major version
libadwaita-1 New upstream bugfix release
libcgi-simple-perl Fix HTTP response splitting issue [CVE-2025-40927]
libcoap3 Fix buffer overflow issue [CVE-2024-0962]; fix integer overflow issue [CVE-2024-31031]
libreoffice Add EUR support for Bulgaria; fix installation of Impress sound effects; fix playing of videos in Impress under Qt6
librepo New upstream bug-fix release, fixing support for DNF5; improve handling of SELinux in the Debian packaging
linux New upstream stable release
linux-signed-amd64 New upstream stable release
linux-signed-arm64 New upstream stable release
live-boot Fix handling of os-release diversions from live-build, ensuring they don't exist in non-live systems
live-build Fix handling of os-release diversions, ensuring they don't exist in non-live systems
mame Fix translation building
mariadb New upstream stable release
mate-sensors-applet Fix crash at startup
mmdebstrap Support numeric UID in /etc/subgid and /etc/subuid
modemmanager Fix support for Fibocom FM350-GL
mozjs128 New upstream stable release; fix uninitialised memory issue [CVE-2025-9181], memory safety issues [CVE-2025-9185]
network-manager-openvpn New upstream stable release; fix multi-factor authentication in combination with non-ASCII characters
nginx Fix potential information leak in ngx_mail_smtp_module [CVE-2025-53859]
node-tmp Fix arbitrary file write issue [CVE-2025-54798]
open-iscsi Ensure /var/lib exists in initramfs
openjpeg2 Fix out-of-bounds write issue [CVE-2025-54874]
orca Add dependencies on python3-setproctitle and python3-psutil
orphan-sysvinit-scripts Fix installation of mdadm scripts
pcre2 New upstream stable release; fix potential information disclosure issue [CVE-2025-58050]
postfix New upstream stable release; fix copying of files to chroot
postgresql-17 New upstream stable release; tighten security checks in planner estimation functions [CVE-2025-8713]; prevent pg_dump scripts from being used to attack the user running the restore [CVE-2025-8714]; convert newlines to spaces in names included in comments in pg_dump output [CVE-2025-8715]
ptyxis New upstream bugfix release
pyraf Ensure compatibility with Python 3.13
qemu New upstream bugfix release
rabbitmq-server Show proper plugin version numbers
remind Fix buffer overflow in DUMPVARS
renpy Fix font symlinks
resource-agents Handle cases where more than one route for an IP address exists
rkward Restore compatibility with R 4.5
samba New upstream bugfix release
sbuild Support UID in /etc/sub(u|g)id; fix build path permissions when building as root; always append newline in binNMU changelog; allow empty BUILD_PATH in command line options
shaarli Fix cross site scripting issue [CVE-2025-55291]
sound-theme-freedesktop Link front-center sample to audio-channel-mono
strongswan Fix OpenSSL 3.5.1 support
systemd New upstream stable release
systemd-boot-efi-amd64-signed New upstream stable release
systemd-boot-efi-arm64-signed New upstream stable release
thunar Fix prompt before permanently deleting files
timescaledb Disable test that fails with Postgresql 17.6
transmission Fix GTK app crash when LANG=fr
tzdata Confirm leap second status for 2025
wolfssl Avoid weak and predictable random numbers [CVE-2025-7394]

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package
DSA-5975 linux-signed-amd64
DSA-5975 linux-signed-arm64
DSA-5975 linux
DSA-5976 chromium
DSA-5977 aide
DSA-5978 webkit2gtk
DSA-5979 libxslt
DSA-5980 firefox-esr
DSA-5981 chromium
DSA-5983 qemu
DSA-5984 thunderbird
DSA-5986 node-cipher-base
DSA-5988 chromium
DSA-5989 udisks2
DSA-5990 libxml2
DSA-5992 firebird4.0

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason
guix Unsupportable; security issues

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

https://deb.debian.org/debian/dists/trixie/ChangeLog

The current stable distribution:

https://deb.debian.org/debian/dists/stable/

Proposed updates to the stable distribution:

https://deb.debian.org/debian/dists/proposed-updates

stable distribution information (release notes, errata etc.):

https://www.debian.org/releases/stable/

Security announcements and information:

https://www.debian.org/security/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.