Updated Debian 12: 12.12 released

September 6th, 2025

The Debian project is pleased to announce the twelfth update of its oldstable distribution Debian 12 (codename bookworm). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 12 but only updates some of the packages included. There is no need to throw away old bookworm media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list

Miscellaneous Bugfixes

This oldstable update adds a few important corrections to the following packages:

Package Reason
amd64-microcode Update AMD-SEV firmware [CVE-2024-56161]; update included microcode
aom Fix libaom encoder output validity
apache2 New upstream stable release; fix HTTP response splitting issue [CVE-2024-42516]; fix server-side request forgery issue [CVE-2024-43204 CVE-2024-43394]; fix log injection issue [CVE-2024-47252]; fix access control bypass issue [CVE-2025-23048]; fix denial of service issue [CVE-2025-49630]; fix potential man-in-the-middle issue [CVE-2025-49812]; fix memory lifetime management issue [CVE-2025-53020]
b43-fwcutter Update firmware URL
balboa Rebuild against glibc 2.36-9+deb12u12
base-files Update for the point release
bash Rebuild against glibc 2.36-9+deb12u12
botan Fix denial of service issues [CVE-2024-34702 CVE-2024-34703]; fix improper parsing of name constraints [CVE-2024-39312]; fix compiler-induced secret-dependent operation issue [CVE-2024-50383]
busybox Rebuild against glibc 2.36-9+deb12u12
ca-certificates Add Sectigo Public Server Authentication Root E46 and Sectigo Public Server Authentication Root R46
catatonit Rebuild against glibc 2.36-9+deb12u12
cdebootstrap Rebuild against glibc 2.36-9+deb12u12
chkrootkit Rebuild against glibc 2.36-9+deb12u12
cjson Fix denial of service issue [CVE-2023-26819]; fix buffer overflow issue [CVE-2023-53154]
clamav New upstream stable release; fix buffer overflow issues [CVE-2025-20128 CVE-2025-20260]
cloud-init Make hotplug socket writable only by root [CVE-2024-11584]; don't attempt to identify non-x86 OpenStack instances [CVE-2024-6174]
commons-beanutils Fix improper access control issue [CVE-2025-48734]
commons-vfs Fix path traversal issue [CVE-2025-27553]
corosync Fix buffer overflow vulnerability on large UDP packets [CVE-2025-30472]
criu Fix restore functionality of mount namespaces with newer kernel versions
curl Fix regression handling sftp://host/~ URIs; fix a memory leak
dar Rebuild against glibc 2.36-9+deb12u12
debian-edu-config Fix quoting in Exim configuration; gosa-sync: fix password verification; fix quoting in gosa.conf
debian-installer Increase Linux kernel ABI to 6.1.0-39; rebuild against oldstable-proposed-updates; add console-setup-pc-ekmap for arm64 and armhf CD images; use nomodeset rather than fb=false to disable framebuffer
debian-installer-netbook-images Rebuild against oldstable-proposed-updates
debian-security-support Query source:Package instead of Source to get the correct list of packages; fix typo related to gobgp
distro-info-data Add Ubuntu end of Legacy Support dates; add release and estimated EoL for trixie
djvulibre Fix denial of service issues [CVE-2021-46310 CVE-2021-46312]
docker.io Rebuild against glibc 2.36-9+deb12u12
dpdk New upstream stable release
dropbear Fix shell injection vulnerability in multihop handling [CVE-2025-47203]
e2fsprogs Rebuild against glibc 2.36-9+deb12u12
erlang ssh: fix strict KEX hardening [CVE-2025-46712]; zip: sanitize pathnames when extracting files with absolute pathnames [CVE-2025-4748]; fix documentation build failure with newer xsltproc versions
expat Fix denial of service issues [CVE-2023-52425 CVE-2024-8176]; fix parser crash [CVE-2024-50602]
fig2dev Detect nan in spline control values [CVE-2025-46397]; permit \0 in 2nd line in fig file [CVE-2025-46398]; ge output: correct spline computation [CVE-2025-46399]; reject arcs with a radius smaller than 3 [CVE-2025-46400]
firebird3.0 Fix NULL pointer dereference issue [CVE-2025-54989]
fort-validator Fix denial of service issues [CVE-2024-45234 CVE-2024-45235 CVE-2024-45236 CVE-2024-45238 CVE-2024-45239 CVE-2024-48943]; fix buffer overflow issue [CVE-2024-45237]
galera-4 New upstream stable release
glib2.0 Fix buffer underflow issue [CVE-2025-4373 CVE-2025-7039]; improve upgrade safety
glibc Fix incorrect LD_LIBRARY_PATH search in dlopen for static setuid binaries [CVE-2025-4802]; improve memory layout of structures in exp/exp10/expf functions; add an SVE implementation of memset on aarch64; improve generic implementation of memset on aarch64; fix double free issue [CVE-2025-8058]
gnupg2 Rebuild against glibc 2.36-9+deb12u12; fix recommends of architecture-any packages on architecture-all package to support binNMUs
golang-github-gin-contrib-cors Fix mishandling of wildcards [CVE-2019-25211]
gst-plugins-base1.0 Fix buffer overrun issue [CVE-2025-47806]; fix NULL pointer dereference issues [CVE-2025-47807 CVE-2025-47808]
gst-plugins-good1.0 Fix possible information disclosure issue [CVE-2025-47219]
init-system-helpers Fix handling of os-release diversions from live-build, ensuring they don't exist in non-live systems
insighttoolkit4 Fix build on systems with a single CPU
insighttoolkit5 Fix build on systems with a single CPU
integrit Rebuild against glibc 2.36-9+deb12u12
iperf3 Fix buffer overflow issue [CVE-2025-54349]; fix assertion failure [CVE-2025-54350]
jinja2 Fix arbitrary code execution issue [CVE-2025-27516]
jq Zero-terminate string in jv.c [CVE-2025-48060]
kexec-tools Remove no longer required dependencies
kmail-account-wizard Fix man in the middle attack issue [CVE-2024-50624]
krb5 Fix message tampering issue [CVE-2025-3576]; disable issuance of tickets using RC4 or triple-DES session keys by default
kubernetes Sanitise raw data output to terminal [CVE-2021-25743]; hide long and multi-line strings when printing
libarchive Fix integer overflow issues [CVE-2025-5914 CVE-2025-5916], buffer over read issue [CVE-2025-5915], buffer overlow issue [CVE-2025-5917]
libbpf Fix operation with newer systemd versions
libcap2 Rebuild against glibc 2.36-9+deb12u12; add missing Built-Using: glibc
libcgi-simple-perl Fix HTTP response splitting issue [CVE-2025-40927]
libfcgi Fix integer overflow issue [CVE-2025-23016]
libfile-tail-perl Fix uninitialized variable issue
libphp-adodb Fix SQL injection vulnerability in pg_insert_id() [CVE-2025-46337]
libraw Fix out-of-bounds read issues [CVE-2025-43961 CVE-2025-43962 CVE-2025-43963]; enforce minimum w0 and w1 values [CVE-2025-43964]
libreoffice Add EUR support for Bulgaria
libsndfile Fix integer overflow issues [CVE-2022-33065]; fix out of bounds read issue [CVE-2024-50612]
libsoup3 New upstream bug-fix release; fix buffer overrun issue [CVE-2024-52531]; fix denial of service issues [CVE-2024-52532 CVE-2025-32051]; fix heap overflow issues [CVE-2025-32052 CVE-2025-32053]; fix integer overflow issue [CVE-2025-32050]; fix heap buffer overflow issues [CVE-2025-2784]; reject HTTP headers if they contain null bytes [CVE-2024-52530]; fix denial of service issues [CVE-2025-32909 CVE-2025-32910 CVE-2025-46420 CVE-2025-32912 CVE-2025-32906]; fix memory management issues [CVE-2025-32911 CVE-2025-32913]; fix credential disclosure issue [CVE-2025-46421]; fix use-after-free during disconnection, which can cause GNOME Calculator to hang at startup; fix a test failure on some 32-bit systems
libtheora Fix segfault during decoder initialisation; avoid possible bit-shifting in decoder
libtpms Fix out of bounds read issue [CVE-2025-49133]
libxml2 Fix integer overflow issue in xmlBuildQName [CVE-2025-6021]; fix potential buffer overflows in the interactive shell [CVE-2025-6170]; fix use-after-free issue in xmlSchematronReportOutput [CVE-2025-49794]; fix type confusion issue in xmlSchematronReportOutput [CVE-2025-49796]
libyaml-libyaml-perl Fix arbitrary file edit issue [CVE-2025-40908]
lintian Add bookworm to duke to the list of known Debian release names; don't emit source-nmu-has-incorrect-version-number for stable updates
linux New upstream stable release; increase ABI to 39
linux-signed-amd64 New upstream stable release; increase ABI to 39
linux-signed-arm64 New upstream stable release; increase ABI to 39
linux-signed-i386 New upstream stable release; increase ABI to 39
llvm-toolchain-19 New upstream stable release
luajit Fix buffer overflow issue [CVE-2024-25176]; fix denial of service issue [CVE-2024-25177]; fix out-of-bounds read issue [CVE-2024-25178]
lxc Rebuild against glibc 2.36-9+deb12u12
mailgraph Update embedded copy of Parse::Syslog, enabling support for RFC3339 dates
mariadb New upstream stable release; security fixes [CVE-2023-52969 CVE-2023-52970 CVE-2023-52971 CVE-2025-30693 CVE-2025-30722]; fix restart after out of memory; new upstream stable release; fix variable name in debian-start.sh
mkchromecast Replace youtube-dl with yt-dlp
mlt Fix Python scripts
mono Remove unneeded (and broken) mono-source package
mosquitto Fix memory leak issue [CVE-2023-28366]; fix out of bounds memory access issue [CVE-2024-10525]; fix double free issue [CVE-2024-3935]; fix possible segmentation fault issue [CVE-2024-8376]
multipath-tools Reinstate ANA prioritizer in build process
nextcloud-desktop Fix share options in graphical interface
nginx Fix potential information leak in ngx_mail_smtp_module [CVE-2025-53859]
node-addon-api Add support for nodejs >= 18.20
node-csstype Fix build failure
node-form-data Fix insufficient randomness issue [CVE-2025-7783]
node-minipass Fix tap reporter in auto test and autopkgtest
node-nodeunit Fix test flakiness
node-tar-fs Fix path traversal issues [CVE-2024-12905 CVE-2025-48387]
node-tmp Fix arbitrary file write issue [CVE-2025-54798]
nvda2speechd Fix required rmp-serde version
openjpeg2 Fix NULL pointer dereference issue [CVE-2025-50952]
openssh Handle OpenSSL >=3 ABI compatibility to avoid new SSH connections failing during upgrades to trixie
openssl New upstream stable release; revert some upstream changes to avoid crashes in downstream software
perl Fix TLS certificate verification issue [CVE-2023-31484]; fix non thread safe file access [CVE-2025-40909]
postgresql-15 New upstream stable release; tighten security checks in planner estimation functions [CVE-2025-8713]; prevent pg_dump scripts from being used to attack the user running the restore [CVE-2025-8714]; convert newlines to spaces in names included in comments in pg_dump output [CVE-2025-8715]
postgresql-common PgCommon.pm: Set defined path in prepare_exec. Fixes compatibility with trixie's perl version
prody Fix build failure; add tolerance to some tests which now fail on i386
python-django Fix regular expression-based denial of service issue [CVE-2023-36053], denial of service issues [CVE-2024-38875 CVE-2024-39614 CVE-2024-41990 CVE-2024-41991], user enumeration issue [CVE-2024-39329], directory traversal issue [CVE-2024-39330], excessive memory consumption issue [CVE-2024-41989], SQL injection issue [CVE-2024-42005]
python-flask-cors Fix log data injection issue [CVE-2024-1681]; fix improper path processing issues [CVE-2024-6866 CVE-2024-6839 CVE-2024-6844]
python-mitogen Support targets with Python >= 3.12
python-zipp Fix denial of service issue [CVE-2024-5569]
qemu Rebuild against glibc 2.36-9+deb12u12; new upstream bugfix release
raptor2 Fix integer underflow issue [CVE-2024-57823]; fix heap read buffer overflow issue [CVE-2024-57822]
rar New upstream release; fix ANSI escape injection issue [CVE-2024-33899]
rubygems Fix credential leak issue [CVE-2025-27221]; fix regular expression related denial of service issue [CVE-2023-28755]
rust-cbindgen-web Rebuild against current rustc-web
rustc-web New upstream stable release, to support building of newer Chromium versions
samba Fix various bugs following a change to Microsoft Active Directory
sash Rebuild against glibc 2.36-9+deb12u12
setuptools Fix arbitrary file write issue [CVE-2025-47273]
shaarli Fix cross site scripting issue [CVE-2025-55291]
simplesamlphp Fix signature verification issue [CVE-2025-27773]
snapd Rebuild against glibc 2.36-9+deb12u12
sqlite3 Fix memory corruption issue [CVE-2025-6965]; fix bug in NOT NULL/IS NULL optimization that can cause invalid data
supermin Rebuild against glibc 2.36-9+deb12u12
systemd New upstream stable release
tini Rebuild against glibc 2.36-9+deb12u12
tripwire Rebuild against glibc 2.36-9+deb12u12
tsocks Rebuild against glibc 2.36-9+deb12u12
tzdata Confirm leap second status for 2025
usb.ids New upstream update
waitress Fix race condition in HTTP pipelining [CVE-2024-49768]; fix denial of service issue [CVE-2024-49769]
webpy Fix SQL injection issue [CVE-2025-3818]
wireless-regdb New upstream release, updating included regulatory data; permit 320 MHz bandwidth in 6 GHz band for GB
wolfssl Fix insufficient randomisation issue [CVE-2025-7394]
wpa Fix inappropriate reuse of PKEX elements [CVE-2022-37660]
xfce4-weather-plugin Migrate to new APIs; update translations
xrdp Fix session restrictions bypass issue [CVE-2023-40184]; fix out-of-bounds read issue [CVE-2023-42822]; fix login restrictions bypass issue [CVE-2024-39917]
ydotool Rebuild against glibc 2.36-9+deb12u12
zsh Rebuild against glibc 2.36-9+deb12u12

Security Updates

This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package
DSA-5914 chromium
DSA-5916 chromium
DSA-5918 varnish
DSA-5919 open-vm-tools
DSA-5920 chromium
DSA-5921 thunderbird
DSA-5922 firefox-esr
DSA-5923 net-tools
DSA-5924 intel-microcode
DSA-5925 linux-signed-amd64
DSA-5925 linux-signed-arm64
DSA-5925 linux-signed-i386
DSA-5925 linux
DSA-5926 firefox-esr
DSA-5927 yelp-xsl
DSA-5927 yelp
DSA-5928 libvpx
DSA-5929 chromium
DSA-5930 libavif
DSA-5931 systemd
DSA-5932 thunderbird
DSA-5933 tcpdf
DSA-5934 roundcube
DSA-5935 chromium
DSA-5936 libfile-find-rule-perl
DSA-5937 webkit2gtk
DSA-5938 python-tornado
DSA-5939 gimp
DSA-5940 modsecurity-apache
DSA-5941 gst-plugins-bad1.0
DSA-5942 chromium
DSA-5943 libblockdev
DSA-5943 udisks2
DSA-5944 chromium
DSA-5945 konsole
DSA-5946 gdk-pixbuf
DSA-5947 xorg-server
DSA-5948 trafficserver
DSA-5949 libxml2
DSA-5950 firefox-esr
DSA-5951 icu
DSA-5952 chromium
DSA-5953 catdoc
DSA-5954 sudo
DSA-5955 chromium
DSA-5956 ring
DSA-5957 mediawiki
DSA-5958 jpeg-xl
DSA-5959 thunderbird
DSA-5960 djvulibre
DSA-5961 slurm-wlm
DSA-5962 gnutls28
DSA-5963 chromium
DSA-5964 firefox-esr
DSA-5965 chromium
DSA-5966 thunderbird
DSA-5967 php8.2
DSA-5968 chromium
DSA-5969 redis
DSA-5970 sope
DSA-5971 chromium
DSA-5972 openjdk-17
DSA-5973 linux-signed-amd64
DSA-5973 linux-signed-arm64
DSA-5973 linux-signed-i386
DSA-5973 linux
DSA-5974 pgpool2
DSA-5976 chromium
DSA-5977 aide
DSA-5978 webkit2gtk
DSA-5979 libxslt
DSA-5980 firefox-esr
DSA-5981 chromium
DSA-5982 squid
DSA-5983 qemu
DSA-5984 thunderbird
DSA-5985 ffmpeg
DSA-5986 node-cipher-base
DSA-5987 unbound
DSA-5988 chromium
DSA-5989 udisks2
DSA-5990 libxml2
DSA-5991 nodejs

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason
guix Unsupportable; security issues

Debian Installer

The installer has been updated to include the fixes incorporated into oldstable by the point release.

URLs

The complete lists of packages that have changed with this revision:

https://deb.debian.org/debian/dists/bookworm/ChangeLog

The current oldstable distribution:

https://deb.debian.org/debian/dists/oldstable/

Proposed updates to the oldstable distribution:

https://deb.debian.org/debian/dists/oldstable-proposed-updates

oldstable distribution information (release notes, errata etc.):

https://www.debian.org/releases/oldstable/

Security announcements and information:

https://www.debian.org/security/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.