Updated Debian 12: 12.12 released
September 6th, 2025
The Debian project is pleased to announce the twelfth update of its
oldstable distribution Debian 12 (codename bookworm
).
This point release mainly adds corrections for security issues,
along with a few adjustments for serious problems. Security advisories
have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian
12 but only updates some of the packages included. There is
no need to throw away old bookworm
media. After installation,
packages can be upgraded to the current versions using an up-to-date Debian
mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This oldstable update adds a few important corrections to the following packages:
| Package | Reason |
|---|---|
| amd64-microcode | Update AMD-SEV firmware [CVE-2024-56161]; update included microcode |
| aom | Fix libaom encoder output validity |
| apache2 | New upstream stable release; fix HTTP response splitting issue [CVE-2024-42516]; fix server-side request forgery issue [CVE-2024-43204 CVE-2024-43394]; fix log injection issue [CVE-2024-47252]; fix access control bypass issue [CVE-2025-23048]; fix denial of service issue [CVE-2025-49630]; fix potential man-in-the-middle issue [CVE-2025-49812]; fix memory lifetime management issue [CVE-2025-53020] |
| b43-fwcutter | Update firmware URL |
| balboa | Rebuild against glibc 2.36-9+deb12u12 |
| base-files | Update for the point release |
| bash | Rebuild against glibc 2.36-9+deb12u12 |
| botan | Fix denial of service issues [CVE-2024-34702 CVE-2024-34703]; fix improper parsing of name constraints [CVE-2024-39312]; fix compiler-induced secret-dependent operation issue [CVE-2024-50383] |
| busybox | Rebuild against glibc 2.36-9+deb12u12 |
| ca-certificates | Add Sectigo Public Server Authentication Root E46 and Sectigo Public Server Authentication Root R46 |
| catatonit | Rebuild against glibc 2.36-9+deb12u12 |
| cdebootstrap | Rebuild against glibc 2.36-9+deb12u12 |
| chkrootkit | Rebuild against glibc 2.36-9+deb12u12 |
| cjson | Fix denial of service issue [CVE-2023-26819]; fix buffer overflow issue [CVE-2023-53154] |
| clamav | New upstream stable release; fix buffer overflow issues [CVE-2025-20128 CVE-2025-20260] |
| cloud-init | Make hotplug socket writable only by root [CVE-2024-11584]; don't attempt to identify non-x86 OpenStack instances [CVE-2024-6174] |
| commons-beanutils | Fix improper access control issue [CVE-2025-48734] |
| commons-vfs | Fix path traversal issue [CVE-2025-27553] |
| corosync | Fix buffer overflow vulnerability on large UDP packets [CVE-2025-30472] |
| criu | Fix restore functionality of mount namespaces with newer kernel versions |
| curl | Fix regression handling sftp://host/~ URIs; fix a memory leak |
| dar | Rebuild against glibc 2.36-9+deb12u12 |
| debian-edu-config | Fix quoting in Exim configuration; gosa-sync: fix password verification; fix quoting in gosa.conf |
| debian-installer | Increase Linux kernel ABI to 6.1.0-39; rebuild against oldstable-proposed-updates; add console-setup-pc-ekmap for arm64 and armhf CD images; use nomodesetrather than fb=falseto disable framebuffer |
| debian-installer-netbook-images | Rebuild against oldstable-proposed-updates |
| debian-security-support | Query source:Package instead of Source to get the correct list of packages; fix typo related to gobgp |
| distro-info-data | Add Ubuntu end of Legacy Support dates; add release and estimated EoL for trixie |
| djvulibre | Fix denial of service issues [CVE-2021-46310 CVE-2021-46312] |
| docker.io | Rebuild against glibc 2.36-9+deb12u12 |
| dpdk | New upstream stable release |
| dropbear | Fix shell injection vulnerability in multihop handling [CVE-2025-47203] |
| e2fsprogs | Rebuild against glibc 2.36-9+deb12u12 |
| erlang | ssh: fix strict KEX hardening [CVE-2025-46712]; zip: sanitize pathnames when extracting files with absolute pathnames [CVE-2025-4748]; fix documentation build failure with newer xsltproc versions |
| expat | Fix denial of service issues [CVE-2023-52425 CVE-2024-8176]; fix parser crash [CVE-2024-50602] |
| fig2dev | Detect nan in spline control values [CVE-2025-46397]; permit \0 in 2nd line in fig file [CVE-2025-46398]; ge output: correct spline computation [CVE-2025-46399]; reject arcs with a radius smaller than 3 [CVE-2025-46400] |
| firebird3.0 | Fix NULL pointer dereference issue [CVE-2025-54989] |
| fort-validator | Fix denial of service issues [CVE-2024-45234 CVE-2024-45235 CVE-2024-45236 CVE-2024-45238 CVE-2024-45239 CVE-2024-48943]; fix buffer overflow issue [CVE-2024-45237] |
| galera-4 | New upstream stable release |
| glib2.0 | Fix buffer underflow issue [CVE-2025-4373 CVE-2025-7039]; improve upgrade safety |
| glibc | Fix incorrect LD_LIBRARY_PATH search in dlopen for static setuid binaries [CVE-2025-4802]; improve memory layout of structures in exp/exp10/expf functions; add an SVE implementation of memset on aarch64; improve generic implementation of memset on aarch64; fix double free issue [CVE-2025-8058] |
| gnupg2 | Rebuild against glibc 2.36-9+deb12u12; fix recommends of architecture-any packages on architecture-all package to support binNMUs |
| golang-github-gin-contrib-cors | Fix mishandling of wildcards [CVE-2019-25211] |
| gst-plugins-base1.0 | Fix buffer overrun issue [CVE-2025-47806]; fix NULL pointer dereference issues [CVE-2025-47807 CVE-2025-47808] |
| gst-plugins-good1.0 | Fix possible information disclosure issue [CVE-2025-47219] |
| init-system-helpers | Fix handling of os-release diversions from live-build, ensuring they don't exist in non-live systems |
| insighttoolkit4 | Fix build on systems with a single CPU |
| insighttoolkit5 | Fix build on systems with a single CPU |
| integrit | Rebuild against glibc 2.36-9+deb12u12 |
| iperf3 | Fix buffer overflow issue [CVE-2025-54349]; fix assertion failure [CVE-2025-54350] |
| jinja2 | Fix arbitrary code execution issue [CVE-2025-27516] |
| jq | Zero-terminate string in jv.c [CVE-2025-48060] |
| kexec-tools | Remove no longer required dependencies |
| kmail-account-wizard | Fix man in the middle attack issue [CVE-2024-50624] |
| krb5 | Fix message tampering issue [CVE-2025-3576]; disable issuance of tickets using RC4 or triple-DES session keys by default |
| kubernetes | Sanitise raw data output to terminal [CVE-2021-25743]; hide long and multi-line strings when printing |
| libarchive | Fix integer overflow issues [CVE-2025-5914 CVE-2025-5916], buffer over read issue [CVE-2025-5915], buffer overlow issue [CVE-2025-5917] |
| libbpf | Fix operation with newer systemd versions |
| libcap2 | Rebuild against glibc 2.36-9+deb12u12; add missing Built-Using: glibc |
| libcgi-simple-perl | Fix HTTP response splitting issue [CVE-2025-40927] |
| libfcgi | Fix integer overflow issue [CVE-2025-23016] |
| libfile-tail-perl | Fix uninitialized variable issue |
| libphp-adodb | Fix SQL injection vulnerability in pg_insert_id() [CVE-2025-46337] |
| libraw | Fix out-of-bounds read issues [CVE-2025-43961 CVE-2025-43962 CVE-2025-43963]; enforce minimum w0 and w1 values [CVE-2025-43964] |
| libreoffice | Add EUR support for Bulgaria |
| libsndfile | Fix integer overflow issues [CVE-2022-33065]; fix out of bounds read issue [CVE-2024-50612] |
| libsoup3 | New upstream bug-fix release; fix buffer overrun issue [CVE-2024-52531]; fix denial of service issues [CVE-2024-52532 CVE-2025-32051]; fix heap overflow issues [CVE-2025-32052 CVE-2025-32053]; fix integer overflow issue [CVE-2025-32050]; fix heap buffer overflow issues [CVE-2025-2784]; reject HTTP headers if they contain null bytes [CVE-2024-52530]; fix denial of service issues [CVE-2025-32909 CVE-2025-32910 CVE-2025-46420 CVE-2025-32912 CVE-2025-32906]; fix memory management issues [CVE-2025-32911 CVE-2025-32913]; fix credential disclosure issue [CVE-2025-46421]; fix use-after-free during disconnection, which can cause GNOME Calculator to hang at startup; fix a test failure on some 32-bit systems |
| libtheora | Fix segfault during decoder initialisation; avoid possible bit-shifting in decoder |
| libtpms | Fix out of bounds read issue [CVE-2025-49133] |
| libxml2 | Fix integer overflow issue in xmlBuildQName [CVE-2025-6021]; fix potential buffer overflows in the interactive shell [CVE-2025-6170]; fix use-after-free issue in xmlSchematronReportOutput [CVE-2025-49794]; fix type confusion issue in xmlSchematronReportOutput [CVE-2025-49796] |
| libyaml-libyaml-perl | Fix arbitrary file edit issue [CVE-2025-40908] |
| lintian | Add bookworm to duke to the list of known Debian release names; don't emit source-nmu-has-incorrect-version-number for stable updates |
| linux | New upstream stable release; increase ABI to 39 |
| linux-signed-amd64 | New upstream stable release; increase ABI to 39 |
| linux-signed-arm64 | New upstream stable release; increase ABI to 39 |
| linux-signed-i386 | New upstream stable release; increase ABI to 39 |
| llvm-toolchain-19 | New upstream stable release |
| luajit | Fix buffer overflow issue [CVE-2024-25176]; fix denial of service issue [CVE-2024-25177]; fix out-of-bounds read issue [CVE-2024-25178] |
| lxc | Rebuild against glibc 2.36-9+deb12u12 |
| mailgraph | Update embedded copy of Parse::Syslog, enabling support for RFC3339 dates |
| mariadb | New upstream stable release; security fixes [CVE-2023-52969 CVE-2023-52970 CVE-2023-52971 CVE-2025-30693 CVE-2025-30722]; fix restart after out of memory; new upstream stable release; fix variable name in debian-start.sh |
| mkchromecast | Replace youtube-dl with yt-dlp |
| mlt | Fix Python scripts |
| mono | Remove unneeded (and broken) mono-source package |
| mosquitto | Fix memory leak issue [CVE-2023-28366]; fix out of bounds memory access issue [CVE-2024-10525]; fix double free issue [CVE-2024-3935]; fix possible segmentation fault issue [CVE-2024-8376] |
| multipath-tools | Reinstate ANA prioritizer in build process |
| nextcloud-desktop | Fix share options in graphical interface |
| nginx | Fix potential information leak in ngx_mail_smtp_module [CVE-2025-53859] |
| node-addon-api | Add support for nodejs >= 18.20 |
| node-csstype | Fix build failure |
| node-form-data | Fix insufficient randomness issue [CVE-2025-7783] |
| node-minipass | Fix tap reporter in auto test and autopkgtest |
| node-nodeunit | Fix test flakiness |
| node-tar-fs | Fix path traversal issues [CVE-2024-12905 CVE-2025-48387] |
| node-tmp | Fix arbitrary file write issue [CVE-2025-54798] |
| nvda2speechd | Fix required rmp-serde version |
| openjpeg2 | Fix NULL pointer dereference issue [CVE-2025-50952] |
| openssh | Handle OpenSSL >=3 ABI compatibility to avoid new SSH connections failing during upgrades to trixie |
| openssl | New upstream stable release; revert some upstream changes to avoid crashes in downstream software |
| perl | Fix TLS certificate verification issue [CVE-2023-31484]; fix non thread safe file access [CVE-2025-40909] |
| postgresql-15 | New upstream stable release; tighten security checks in planner estimation functions [CVE-2025-8713]; prevent pg_dump scripts from being used to attack the user running the restore [CVE-2025-8714]; convert newlines to spaces in names included in comments in pg_dump output [CVE-2025-8715] |
| postgresql-common | PgCommon.pm: Set defined path in prepare_exec. Fixes compatibility with trixie's perl version |
| prody | Fix build failure; add tolerance to some tests which now fail on i386 |
| python-django | Fix regular expression-based denial of service issue [CVE-2023-36053], denial of service issues [CVE-2024-38875 CVE-2024-39614 CVE-2024-41990 CVE-2024-41991], user enumeration issue [CVE-2024-39329], directory traversal issue [CVE-2024-39330], excessive memory consumption issue [CVE-2024-41989], SQL injection issue [CVE-2024-42005] |
| python-flask-cors | Fix log data injection issue [CVE-2024-1681]; fix improper path processing issues [CVE-2024-6866 CVE-2024-6839 CVE-2024-6844] |
| python-mitogen | Support targets with Python >= 3.12 |
| python-zipp | Fix denial of service issue [CVE-2024-5569] |
| qemu | Rebuild against glibc 2.36-9+deb12u12; new upstream bugfix release |
| raptor2 | Fix integer underflow issue [CVE-2024-57823]; fix heap read buffer overflow issue [CVE-2024-57822] |
| rar | New upstream release; fix ANSI escape injection issue [CVE-2024-33899] |
| rubygems | Fix credential leak issue [CVE-2025-27221]; fix regular expression related denial of service issue [CVE-2023-28755] |
| rust-cbindgen-web | Rebuild against current rustc-web |
| rustc-web | New upstream stable release, to support building of newer Chromium versions |
| samba | Fix various bugs following a change to Microsoft Active Directory |
| sash | Rebuild against glibc 2.36-9+deb12u12 |
| setuptools | Fix arbitrary file write issue [CVE-2025-47273] |
| shaarli | Fix cross site scripting issue [CVE-2025-55291] |
| simplesamlphp | Fix signature verification issue [CVE-2025-27773] |
| snapd | Rebuild against glibc 2.36-9+deb12u12 |
| sqlite3 | Fix memory corruption issue [CVE-2025-6965]; fix bug in NOT NULL/IS NULL optimization that can cause invalid data |
| supermin | Rebuild against glibc 2.36-9+deb12u12 |
| systemd | New upstream stable release |
| tini | Rebuild against glibc 2.36-9+deb12u12 |
| tripwire | Rebuild against glibc 2.36-9+deb12u12 |
| tsocks | Rebuild against glibc 2.36-9+deb12u12 |
| tzdata | Confirm leap second status for 2025 |
| usb.ids | New upstream update |
| waitress | Fix race condition in HTTP pipelining [CVE-2024-49768]; fix denial of service issue [CVE-2024-49769] |
| webpy | Fix SQL injection issue [CVE-2025-3818] |
| wireless-regdb | New upstream release, updating included regulatory data; permit 320 MHz bandwidth in 6 GHz band for GB |
| wolfssl | Fix insufficient randomisation issue [CVE-2025-7394] |
| wpa | Fix inappropriate reuse of PKEX elements [CVE-2022-37660] |
| xfce4-weather-plugin | Migrate to new APIs; update translations |
| xrdp | Fix session restrictions bypass issue [CVE-2023-40184]; fix out-of-bounds read issue [CVE-2023-42822]; fix login restrictions bypass issue [CVE-2024-39917] |
| ydotool | Rebuild against glibc 2.36-9+deb12u12 |
| zsh | Rebuild against glibc 2.36-9+deb12u12 |
Security Updates
This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
| Package | Reason |
|---|---|
| guix | Unsupportable; security issues |
Debian Installer
The installer has been updated to include the fixes incorporated into oldstable by the point release.
URLs
The complete lists of packages that have changed with this revision:
The current oldstable distribution:
Proposed updates to the oldstable distribution:
oldstable distribution information (release notes, errata etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
Contact Information
For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.